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"Someone finally did it... 
Website tracking the Mac way! 


- Neif Ticktin, MacTech Magazine Editor-in-Chief 
and VisiStat.com Customer 
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WITHOUT EMAIL, FTP OR SLOW UPLOADS. 


Whether it’s in pro photography, print and prepress, or at the country’s leading creative agencies, 
See File 2,0 software for OKX is revolutionizing how media files are shared and organized. SeeFile uses 
the Web instead of client software lo make uploading* downloading and reviewing jobs a snap. 

Sec File turns a Mac’s file system into a continuously-updated Website with complete user control. 

Accessible from anywhere via Safari, Firefox or Windows IE, folders look like folders, automatically 
generated thumbnails can be selected lo get a high-res preview of each image, and our integrated 
messaging allows online discussion of specific files or whole jobs. 

Private logins allow separate user areas as well as multiple levels of responsibility and access. 
Easy logo branding also means that you can set up custom-looking sites for new clients in seconds, 

SeeFile is priced at a fraction of iraditional workgroup digital asset managers, and runs on 
any G4. G5 or Intel OSX system, OSX Server is not required - the software takes advantage of the 
Apache server built into every OSX system, SeeFile’s extensible scripting and holiolders, as well 
as PHP, MySQL and XMP metadata support, make it easy to integrate with third party workflows; 
if s already pretty powerful right out of the box. 

We’re looking for more good Mac consultants to partner on installations, grow their business 
with us and and help spread the word. We’re easy to work with* and provide old-style phone contact as 
well as in-person and VNC tech support. Contact us today and see whafs possible. 
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Lasso Professional Server 


Universal Binary 
for Intel Macs: 
Native support for 
the best speed 
and compatibility. 


Includes AJAX Tags 

Built-in LDAP 

Connect to 

and Functions: 

Integration: 

Any Database: 

Supports Web 2,0 

Integrate Lasso 

Including Oracle, 

techniques for modern. 

with office data 

PostgreSQL, MySQL, 

dynamic Web design. 

and login systems. 

FileMaker, ODBC, and JDBC. 


Improved DNS, Email, 
iCal Support: 
Extending Lasso's support 
for Internet protocols and 
open standards. 




4 FREE well commented Lasso 
solutions to get you started: 

Blog: Teaches beginners and advanced users 
alike how to create an online diary, or web log. 

Quick Poll: Add a poll to your Web site with a 
question arid answers, cast a vote or see results. 

Collaborate: Enables knowledge sharing among 
a group of developers and administrators to 
streamline Web site development from remote 
locations or geographically dispersed teams. 

Message Board: Source code for the 
Message Board solution is completely 
open and expandable to suit your needs. 
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Special Offer 

for MacTegh readers 

Try Lasso Professional Server 8.5 
FREE for 30 days. 


www. TryLasso. com 
lassosales ©omnipilotcom 
800 - 678-9958 

Then get 60 days of FREE 
support with your purchase. 
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INTEL" SOFTWARE DEVELOPMENT PRODUCTS FOR MAC OS* 
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tools that use the power of the processor to take your applications to the next level. 
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and Apple Frameworks, our products work with the tools you're already using today. 
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you the tools you need to transform power into performance. 
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In lilis electronic age, the art of 
communication has become 
both easier and more 
complicated. Is ir any surprise 
that we prefer e-mail? 

if you have any questions, feel free 
id call us at 80S d9^9 7 9 7 or fax us 
at 805/494^9795. 

If you would like a subscription 
or need customer service, fed 
free to contact MacTech 
Magazine Customer Service at 
8 7 -MACTECH 


We love to hear from you! 
Please fed free to contact us 
with any suggestions or 
questions at any time. 

Write to lettersfemaetcchx'om 
or editori al@mactcch.com its 
appropriate. 


On the early morning hours of June 
1 l r ^ 2GQ6, die Apple comimmity lost a 
fellow writer, trainer, advcxittc, all-around- 
fount-of-know ledge and friend. Michael 
Bartosh, author of O’Reilly's Essential Panther 
Server Administration ("the" server lxx>k), 
passed away while on a consulting 
assignment in Japan. 

Only 28, Michael deeply understood OS 
X technology. More importantly, he would 
graciously share that knowledge on die 
many mailing lists he was subscribed to. 

There arc few in the Mac community dial 
haven't been helped by Michael, either 
directly through a consulting assignment, 
llirough his training or as he answered 
someone else's question on a list. 

While there are many people who knew Michael much better than 1 did, l was 
fortunate enough to know Michael through the Apple Consultants Network, and to 
[lave met him several times at industry events. Of course, you didn’t just meet Michael 
- he was quite a character, and would immediately make a lasting impression. Nor 
do you go to an industry event that doesn't have its share of gatherings: vendor 
sfxmsored or otherwise. Michael was always a presence. 

Michael was a long time speaker at WWDC and Mac World, where I was also 
fortunate enough to spend some time with him in the speaker lounge, getting to see 
him behind the scenes. I ie was always relaxed, and always ready to speak. 

Michaels passing will l>c fell in the Mac community for some time to come. 
Although he's known for his technical acumen, he was anytliing but one-dimensional. 
Everyone has their own unique memories of their tune with Michael: from training 
and working, to simply having a great time, enjoying life. If you hold an Apple server 
or training certification, know that Michael was instrumental in developing the 
training classes and the ACSA and ACTC tests. 

Many people have been Imking for a way to show support for Michael and a 
way to best remember him. MacWorld is setting up The Michael Bartosh Scholarship 
Fund. The goal is to .send a talented, student age, network engineer to I he MadT 
Conference at MacWorld each year, all expenses paid. More information alx>ut the 
fund can lie found at < http://wvmfflacworl(fe^ 

Michael, you will lx j missed! 
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Mac In The Shell 


by Edward Marczak 


osx 

Investigation and 
Troubleshooting - 
Part 3 

The secrets to OS X success < 

_ ) 

Introduction 

Shovels, spades, back hoes, and even your hands: ways to 
dig. Just like our analog world, OS X provides us many Look 
with which to dig in. The first two parts of ibis series introduced 
several utilities, like tripwire, find and I shorn 10 check and 
monitor changes on a file system. We also looked at programs 
that monitor processes such as top and Spin Control This 
month, well look at ways to check out specific binaries - 
particularly ones that are poorly documented. This will take a 
combination of looking at their images on the file system, and 
looking at their processes while it’s running. 

Slinging the Strings 

Almost all programs have some static text stored as strings. 
Fact of the matter is, though, that C, C++, compiled AppleScript, 
and (especially) Objective C have a massive amount of 
descriptive text ripe for the plucking. What more aptly-named 
utility to use than strings* 

strings looks for ASCII data in its input, and will output, 
by default, any ASCII strings that are at least 4 characters. This 
takes very little explanation once you see it in action. Recently, 

1 had to troubleshoot OS X Server's Password Sc nice. While 
there is a man page, it doesn't quite tell you everything. To the 
shell I go! Running strings on PasswordService certainly 
yielded a bit of info: 

strings / iif: r/sbin/Password Service [ less 
_d y 1d_mod_ ter n_func s 

_dy1d_make_d elaye d_mod U1e initiaIize r_ca11s 

_dyld_image_count 

__4ykL£et_iniage name 


dyld_get_inage_header 
_dyld_NSLookupSymbolIn Image 
„dy id_NSAdd re ssOf Symbn 1 
libobjc 
.objclnlt 

The kernel support for the dynaiaic linker is not present Lt> 
run this program. 

RunAppThread Created 
RuiiAppThread Deleted 
RunAppThread Started 

(66S lines snipped for brevity) 

Paging through the output yielded a few golden nuggets, 
including this line: 

/ Libra ry/Preferences/com. apple *passwordserver .piist 

Hey! There’s no mention of a plist in the man page! Another 
interesting line jumped out: 

Kxternai password command rejected because it must be in 
/usr/sbin/authserver/tool r 

Looking in /usr/sbin/authserver/took reveals one program: 
weak pass. No man page, no real help, just a brief usage 
statement. 1 ran It and got this: 

./weakpase marczak admin 
approved 

A quick search lead me to weakpass_edit which does have 
a man page, and explains what the program does a bit tetter. 
Useful for future reference. 

Running strings on this one binary yielded a good bit of 
info. However, te aware that you're not kx>king at the actual 
source of a program, so, some of your detective work is simply 
inference. You may te looking at strings from a section of code 
that isn't really implemented yet. Frankly, you don't always 
know for sure precisely what you're looking at. 

Sometimes you find funny comments (111 leave you to look at 
strings /usr/sbin/AppleFiieServer youradf), and 
sometimes a developer reveals much mote than iltey had hoped. I 
once was able to map out an entire website and dig into parts of it 
that the webmaster didn't know he was sharing-all tlianks to info 
derived from running strings on a binary. More Importantly, 1 find 
strings useful for finding anything hardcoded you'll find this a 
surprising amount, instead of an app reading from a preference file. 
Or, youll find the hardcoded debug flags that it may lx- looking for. 
Back to OS X Server for one more example* 

One day, while doing a little battle witJ i OS X Directory 
Services, I rememtered that there is a way to throw DirectoiyService 
into debug mode. While the kill -USUI trick is documented, that 
only debugs after one has logged in. Unfortunately , plenty happens 
while the machine is IxxXing, before logging in is passible. I knew 
I once heard of a way to get Diretlorytervice to debug 
everything.,*sbrings to the rescue. A simple: 

strings /usr/sbin/flirectoryService 
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‘Poof! Three months of work gone because I hit the wrong key / 



Just because it’s gone, 
doesn’t mean it’s gone for 
good. Get the hardest working 
data recovery software for 
Mac OS X on the job. 

FileSalvage™ can undelete files 
from your hard drive, digital 
camera or iPod. 


Even if you've accidentally 
formatted it or your drive is 
corrupted ... you can still 
get your important files back. 

See for yourself 
Visit www.SubRosaSoft.com 
for more information. 


SubRosaSoft.com 






yielded this deep into Lhe output: 

/Library/Preferenccs/fH rectoryServlee/ .DSLogDebugAtStfiirt 
/ L i b ra ry / Pr e f erenc«s / Dl rec torySe r vie e/ . DSLogAPIA LS L a 1 1 

Enough to jog my memory'! A simple ‘touch 
/Library/Freferences/DireetoryService/,DSLogDebu 
gAtStart * starts filling /Library/Logs/Direct<xyService 
/DireetDiySefvice*debug.log - right from the word go! Very handy, 

So* I wouldn't give up strings too easily. But when using it* 
you have to remember to put the output into some sort of context, 
anti certainly don't use Lite output to justify anything you can't 
prove empirically by running the program y chi' re inspecting. 

Watching While Running 

Often, you’ll find yoursdfwondering, “just what is that app 
doing right now?* Up until now* this series hasn't really focused 
on watching code run, outside of watching die resources it's 
taking. Sometimes, though, the only way to really troubleshoot 
an app is to watch it self-destruct. Of course, there are utilities 
that aid in doing just that. 

Like top for running processes, sc_usage shows system 
calls and page statistics as a program makes calls and pages in 
and out in a top-like style. You must be root to run sc_usage T 
which lakes a pid, process name, or name of an app to execute 
by using the F switch. I prefer to use a process id as its a little 
more specific. Lei's lake a look at Apache running locally on my 
machine as it serves a web page: (See listing I top of Page 10) 


The first block of information shows the process name and some 
basic statistics, counting from the time you started sc_usage, In 
the next block* there are rows segregated by type* with lire 
following headings: 

Type - The type of system call or* in the last group, the actual 
call used 

Number - Tile number of times this call has been made. A 
numlrer is parenthesis represents the delta between samples. 
CPU_Time - The amount of CPU time this process has used. 
Wait_time - the amount of time this process has spent waiting. 

Hie final block of information is only displayed once the 
program starts to make rails, and is displayed from the bottom 
of the terminal up. The columns in this group are: 

Current type - die system call currently being made 
Iast_pathname_waited_for - The last pathname referenced by a 
system call I hat blocked. 

Cur wait Jime - Time a thread has been blocked. 

Timk - the thread number in question 
Pri - the scheduling priority. 

The overwhelming majority of die time* when you run sc_usage, 
you'll have 'madi_msg_irap‘ in the system call list. Popular 
system call? Noi quite; this shows that a call is blocked and 
waiting for something to happen. 



fmSQL Synch eliminates double 
data-entry... forever. 

You can now synchronize your FileMaker and web 
(SQL) databases. Data is compared on a record - 
by-record as well as fietd-by-fietd basis. Existing 
databases can be configured for synchronizing 
with just a few modifications* 

Some of the features indude: 

✓ Eliminates double data-entry 

✓ Two-way synchronizing 

1/ Field level conflict checking and resolution 
Setup Assistant 

✓ Creates all SQL statements for you automatically 
Easily integrates with existing FileMaker 
solutions 


Save time... save money 

synchronize Mitt 


Download a demo, and get more information at 

www.fmSQL-Synch.com 


B Garrison Computer Services 

info@g3rrison.eom.au Ph; +6i 2 4575-5247 
www.garrison.com.au PO Box 141 Windsor N$W 2756 Australia 











Intego Personal Backup X4 

Back up and protect your digital life 




Personal Backup X4 


Choose the operation you want 
to perform: backup, restore, 
done, synchronise, move, 
and archive your data. 

Select what you want to back 
up by simply dragging a nd 
dropping it onto the Personal 
Backup X4 interface. 
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Mew Scripts 


it* 


Display the progress of your 
backup, as well as information 
about the files being transferred. 

View the selected backup script 
option in the scrolling display 
window. 


Statistics 


See the speed of your data 
transfer in real time. 
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Personal Backup 


Create and edit backup scripts 
easily and use multiple options 
and exceptions. 


Back up your data to hard disks, 
“ CDs, DVDs, iPods, USB drives, 
i Disks, etc. 


Start and stop your backup task 
with a single click. 




: ^ rri'z 


Discover the 1 new Integn Widgets informing 
you of the status of your protection, available 
updates and scheduled events, 



Easily transfer and back up 
your data to your iPod 


Schedule regular or one-time 
backups of your data and view 
them in Apple's iCal 


Easily schedule, check and Install new 
Updates for Personal Backup X4,as well as 
updates for all Intego software installed on 
your Mac, 


Macworld » » * * 1 

WiSb person^ 

}; Back up 



Main features of Personal Backup XA 


■ Full or Incremental lockups 

1 Fast reliable restore! 

► Startup voEtJtiv ran be cloned 
^ Bala synchronisation 

* Fully irdevigrred and resltabk' interface 

► Archive encryption (AES 126J 

' New menu integrating dll Intego XI software 
' Personal Backup X4 Widget and Inttfgo Widget 

► Predefined backup sen pit for muik. video and more 
1 Scripts can be linked i& roe another 

1 Exception list 


* Rata copied in it* original format allowing immediate 
recovery in rase of accidental toss 

* New alert management 

- Compatible wilh Apple Automat or 

* View and edit backup suipts 

- Test Scripts More running them 

* Backups can be launched when no session is open 

* Intego calendar for Apple's dial 

* Improved backup statistics with graphs 

* Backups can be made id multiple CDs Or OVDs 

* Automatri- mount and dismount of network volumes 


Apple Store meMail NAyfNRR^; fhj-s LflMSSSJ www.intego.com 

Intego * S00 North Capital of Texas Hway, Suite 8-lSO ■ Austin, TX 78746 * Tel (512J 637-0700 * Fax {SI 2) 617-0701 * *ales^integoxom 
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f sc..usage 134 

httpd 0 preemptions 0 context switches 1 thread 07:11:38 

0 faults 0 system calls 0:01:11 

TYPE NUMBER CFUJTIME WAIT_T1ME 


System 

Idle 



0:21.670 f 

0:00.683) 

System 

Busy 



0:14.614( 

0:00,326) 

httpd 

Usermode 


0:00*179 



zero_fiIl 


1215 

0:00.024 

0:00*001 


pagein 


143 

0:00.018 

0:01.046 


copy on_write 


137 

0:00.007 

0:00.059 


cache _hit 


314 

0:00.003 

0:00*000 


read 


278 

0:00.019 

0:19.523 


accept 


1 

0:00.000 

0:13.716( 

0:01.010) W 

star* 


286 

0:00.038 

0:00.494 


open 


197 

0:00.012 

0:00.491 


close 


195 

0:00.020 

0:00.176 


mach_mag_trap 


411 

0:00.003 

0:00.164 


access 


26 

0:00.010 

0:00.115 


statfs 


11 

0:00.009 

0:00.083 


poll 


2 

0:00.000 

0:00.075 


getdirentries 


141 

0:00.130 

0:00.063 


chdir 


2 

0:00,000 

0:00.004 


getattrlist 


261 

0:00,012 

0:00.001 


Istat 


189 

0:00*009 

0:00*000 


vtn allocate 


215 

0:00.003 

0:00,000 


CURRENTJTYPE 


LA S T„ P ATHNAME_WA I TEG_ 

.FOR CUR_WAIT_TIME THRD# PRI 


accept 


//%Z39/%239105369/footer. tpl*php 4:50.062 0 31 


pass in a process id or process 
name thal will constrain the 
output to that process only - very 
wise, as fs_usage generates a 
huge amount of output Tf you 
use a process name, fs_usage will 
march all occurrences of that 
name. 1 jet’s watch it in action 
against the same httpd process 
from earlier: 

(Listing 2, bolLom of this page.) 

That's some great output! What's 
it idling us? The first column is 
the time that the event occurred. 
Ihe .second column is the actual 
call or page event, The next 
column represents the data of the 
call. On a page fault, the data 
shows the address, represented 
by “A=" and, the number of bytes 
read or written, shown by “B=\ 


Listing 1. 


Watching the Files 


A read cull is similar, showing the 

_ file descriptor read from in "F- 1 *, 

and the number of bytes read. 
The next column shows the time spent on the call. A *W” next 


Sometimes, troubleshooting - or just your curiosity - leads 
to a more specific query: which files does this application touch? 
Either read, create or write; what's it accessing? sc_usage 
might only give you half of the picture. Enter fs usage. As 
you may have guessed, this utility will display file system usage, 
fs_usage will run with no switches, displaying all file system 
calls. But, we can show more finesse than that. You can also 


to the time means that the process was scheduled out during 
this time, and the value includes wait time (like waiting for some 
long 1 I/O process). The final column shows the process name; 
useful when you Ye monitoring multiple processes. 

In this example, 1 particularly like the section where we can 
really see Apache listening to the default Apple configuration 
(about 16 lines in starting with the 'stalls* block) - it walks each 
of the user’s '‘Sites’* folders. Of course, there was a lot more 


If fs. usage 134 




20:53:33*660 

PAGE-IN 

A-OxOOO15000 B”0x2000 

0*020402 

W httpd 

20:58:33.897 

PAGE IN 

A-Oxa0002000 B=0xlCQQ 

0*236411 

W httpd 

20:53:33*991 

PAGE-IN 

A~0x00019000 8=0x1000 

0*001612 

V httpd 

20:53:33.991 

PAGE_1N 

A=0x00014000 B=0x0 

0,000008 

httpd 

20:58:33*991 

read 

F-4 8-0x114 

0*000030 

httpd 

20:58:33,992 

PAGE IN 

A-Ox0OQ4cGGO B=0xIQGQ 

0*000278 

W httpd 

20:58:33.992 

PAGE IN 

A=0xGOQlaflO0 E^OxlQOO 

0.000167 

W httpd 

20:58:33.9% 

PAGE,IN 

A-Dx0002f000 B=0xl000 

0.000322 

W httpd 

20:58:33.997 

FAGSUN 

A=Qx00017000 B-Ox3000 

0.000315 

W httpd 

20:58:33.997 

PAGE-IN 

A-Ox000l6000 B=0x0 

0.000007 

httpd 

20:58:33.093 

stilt 

/ww/wheresspot/html 

0*095943 

W httpd 

20:58:33.093 

open [ 

2j /www/wheresspot/htflil/.htaccess 

0.000227 

W httpd 

20:58:33.093 

statfs 


0*000018 

httpd 

20:58:33.094 

statfs 

/Library/WebServe r /Document s 

0*000115 

httpd 

20:53:33*094 

statfs 

/Library/Webserver/CGI Executables 

0*000063 

httpd 

20:58:33.094 

statfs 

/Users/beld/Sites 

0*000028 

httpd 

20:58:33.094 

statfs 

/Users/test/Sites 

0*000009 

httpd 

20:58:33*094 

statfs 

/Users/iiiarczah/Sites 

0*000009 

httpd 

20:58:33*094 

statfs 

/Use rs/supervisor/Sitec 

0.000009 

httpd 

20:58:33*094 

statfs 

/ vw/wheress pot /html 

0*000265 

W httpd 

20:58:33.120 

statfs 

/usr/sba re/httpd/icons 

0,025489 

W httpd 

20:58:33*161 

statfs 

[ 2] * 1 \.\,namedfork 

' 0,000035 

httpd 

20:58:33.i86 

PAGE_m 

A=QxQOOa2COO 8-0x2000 

0,024381 

W httpd 

20:58:33*198 

PAGE-IN 

A=0x0020a000 8=0x1000 

0,011685 

W httpd 

20:58:33,214 

stat 

/www/ wheresspot/html/index. httnl 

0*015336 

U httpd 

20:58:33*214 

PAGE-IN 

A-OxQOOZdOOG B=0x2000 

0.000318 

W httpd 

20:58:33*214 

PAGE.IN 

A-Ox0002e000 B-Qx0 

0.000012 

httpd 

20:58:33.215 

PAGE_IN 

A-OxOOOl8000 B”0x0 

0*000014 

httpd 

20:58:33*215 

stat 

/www/wheresspot/html/index.html 

0,000119 

httpd 


output from fs_usage, but we could only 
look at a small portion here Also, note 
that errors are displayed in square 
brackets. For example* Apache needs to 
look for an htacccss file, but noL every 
directory will have or need one. 
Because of this, you’ll see the open call 
return with an error [21 on line 12 in the 
Output. 

Naturally, you need to be root to 
allow fs_usage to dig in where it 
needs to. 1 should also point out thal 
fs_usage is sensitive to the size of your 
terminal. The more columns you have, 
ille itk ne lt‘11 display (to a point), Tf yo 11 
always want to enable wide output, 
regardless of your actual terminal width, 
use the -w’ flag. Also, note that you can 
exclude processes with the u -e” switch. 
By itself, the “-e" switch will exclude the 
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3,248 hours typing code 
184 hours finding that one bug 
142 hours of meetings 
108 pizzas — 
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fi-Lusage program itself. 

Watching the Watcher 

As handy as sc_usage and f s_usage arc, sometimes you 
just need more insight. When you need to reach into the 
nuclear arsenal, the first thing you should pull out is kt race, If 
you’ve never used ktrace, please read Lius entire section 
l>efore trying on a production machine! 

ktrace is the kernel trace facility, and allows kernel tracing of 
a given preicess. lJnliIce lhe previt>us utililiesdemt>nstrated, ktrace 
togs its output to a file rather than the screen. By default, this output 
goes to a file named l ktrace.ouf, Also, if you think fs_usag.e is 
verbose, ktrace is even more so. Due to tills, ktrace writes its 
output in a more efficient binary format A separate utUly, kdump, 
will read a ktrace file - again, by default, ktrace.out - and display it 
in “human readable” format. Like most things, once you see it in 

action, you’ll geE it immediately. Back to httpd: 

/J ktrace p [34 

...and that's it, ktrace is silently logging in the background. 
Once again: ktrace can generate huge amounts of output. If you 
nm tills on a production machine, you cun fill a disk very- quickly, 
depending on the process you’re tracing. Since ktrace launches a 
kernel process, you won’t sec any evidence of ktrace running in a 
ps' listing, so you can easily forget about it. Take care with this 
one! Back to usage.,,White this is tracing, Hi go load my web 
page. Then, we need to stop ktrace. While tracing can be 
stopped on a particular process, it’s very rare that I’m tracing more 


than one process at a time, or that 1 wouldn’t want to stop them 
all at the same time, so 1 go for the panic button: ktrace ~C 
(note the capital 'CL The -C switch stops all traces belonging to 
tlie current user. Unlike other utilities of its type, you do not have 
to l>e root to use ktrace, however, it certainly helps. If you own 
a process, though, you can ktrace it. For completeness sake, you 
cancel a specific trace by using the -p’ switch again: ktrace p 
134. Now, to kx)k at our ouLput: 

# kdurap | less 

134 httpd RET accept 4 


134 httpd 

CALL 

sigactlon(0xie,0xbffff98B,OxbffffaOO) 

134 httpd 

RET 

sigaction 0 

134 httpd 

CALL 

fcntl(&x4,0x2,0xl) 

134 httpd 

RET 

fctnl 0 

134 hitpd 

CALL 

ge tsoclmame (0x4, Oxbf f f f a60, Qxb f f f f a&O) 

134 httpd 

RET 

getaockuame 0 

134 httpd 

CALL 

setsockopt(0x4.0x6,Oxl.OxbffffaOO,0x4) 

134 httpd 

RET 

setsockopt 0 

134 httpd 

CALL 

read(0x4.Ox1 BOee 90,0x1000) 

134 httpd 

G10 

fd 4 read 320 bytes 

"GET / 

HTTP/1,l\r 


Accept: */*\r 

Accept-Language: en\r 

Accept-Encoding: gzip, deflated 

Cookie: mPSESSID-43edcdcfiCieaa<ib4a7ed7778acebbded6: 

AWSUSER_ID=awsusev_idl137205739363r9609U 

User-Agent: Mf>zilla/5.0 (Kacintosh: U; PPC Mac OS 

X: en) AppleWebKit/4 IS (KHTML, like Gecko) Safari/417.9.2\r 
Connection: keep alive\r 
Host: ws\r 
Vr 


134 httpd 

RET 

read 320/0x140 

134 httpd 

CALL 

sigactian (Oxle , OxbfffdBafi , Oxbfffd92Q) 

134 httpd 

RET 

sinaction 0 

134 httpd 

CALL 

stat (Ox 188eeb0,Ox 188d 300) 

134 httpd 

NAMJ 

"/www/wher ea 9 po r/hin1" 
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134 httpd 

RET 

StBt 0 

134 httpd 

CALL 

open(Dxl88fOfG,0.0xlb6) 

134 httpd 

NAMI 

41 i ww/wher essput f html f . htaecests 

134 httpd 
ectory 

RET 

open -1 errno 2 No such file or 

134 httpd 

CALL 

sigaction{Oxe r G ,0xbffff830) 

.134 httpd 

RET 

sigaction 0 

134 httpd 

CALL 

Btat(0xl88fba8. Ox 1887700) 

134 liLLpd. 

NAKT 

www /vh e r es 8 pot/ht m1 /index.htutl” 

134 httpd 

RET 

slat 0 

134 httpd 

CALL 

stattOxI88faOO.Qxl8Bf260) 

134 httpd 

NAMI 

*7www/wheresfipot/htnil/index,html" 

134 httpd 

RET 

stat 0 

134 httpd 

CALL 

slgpracmask[0x1,0,0xl3d9sa4) 

134 httpd 

RET 

sigprocmask 0 

134 httpd 

CALL 

uiEtask(0x3f) 

134 httpd 

RET 

umask 18/0x12 

134 httpd 

CALL 

umask(0xl2) 

134 httpd 

RET 

umask 63/0x3f 

134 httpd 

CALL 

sigprocmaskCOxUO, Qxl3d9aa4j 

134 httpd 

RET 

sigproemask 0 

134 htlpd 

CALL 

set 51 inter(.0x2 ,0xhfffe7dQ,0) 

134 httpd 

RET 

soil timer 0 

134 httpd 

CALL 

sigactioti tOxl b. Oxbf fJ:c6fS. Oxbff fe/64) 

134 httpd 

RET 

oigactiou 0 

134 httpd 

CALL 

sigprocmask(Qx2 <Gxbfffe7eO h Q) 

134 httpd 

RET 

sigproemask 0 

134 httpd 

CALL 

sigprocmask(Qxl,0.0xl3d9aa4) 

134 htlpd 

RET 

Klgprocmaak 0 

134 htipd 

CALL 

stat (0x901a0ad0.0xbfffe?-f8) 

134 httpd 

NAMI 

"/*■ 

134 httpd 

RET 

stat 0 

134 httpd 

CALL 

lstat (Oxl8B64UO T Qxbfffe2fB) 

134 httpd 

NAMI 

“ „ " 

334 hrtpd 

RET 

lstat 0 

134 httpd 

CALL 

chd i r (Oichff fc56fl) 

134 httpd 

NAMT 

“/wv/wheresspot7ht»l" 

134 httpd 

RET 

chdir 0 

134 httpd 

CALL 



getattrlist(Qxbffte73Q♦0xa0DQO494, Qxbt'ffdf 34 „Gx41c,0x1) 

134 httpd NAMI */www M 

134 httpd RET getattrlist D 

134 htlpd CALL 

getattrHst (Oxhide730,Oxa 0(10049 4,Gxbfffdm,0x4lc. Ox 1J 
134 httpd NAMI "/wu/wheresspot^ 

134 httpd RET getattrlist 0 

134 httpd CALL 

getattrlist ((btbff fe/30 * 0xa0000494 * 0xbfffdf34,0x41c *0x1} 

134 httpd NAMI '7www/WheresS.pnt/hr.ml* 

134 httpd RET getattrlist 0 

134 httpd CALL 

getattrlist (Oxbffle/30 .OxaOOOQ494. QxMffd [34.0x41c. Ox 1) 

134 httpd NAMI “/vww/WheresSpot/html/index,html" 

This was just a tiny piece of the output! if you compare this 
ktraee data with the sc_usage display, you’ll see many of the 
same calls, as one would expect. Also, comparing the ktraee 
output with the fs_usage data shows the same files being 
opened, and the same errors returned. The ktraee output, 
though, is much more detailed. Additionally, as files are opened 
and read, ktraee will actually show the content - look at the http 
header get passed across in the sample weTe using. 

As you may expect, ktraee can gel even more advanced. 
First, you can use ktraee to launch a process, just so you get 
every drop of into, right from the start. Just pass the name on 
the command line: ktraee SomeApplication. Second, you 
can instruct ktraee to trace current and/or future descendants of 
a process, also. Very important stuff! In part two of this series 
we talked about Activity Monitor and using it to see parent 
prfx'esses - the process that spawned the process you're 
interested in. Thanks to launchtk SystemStaiter and their ilk, 
this happens a lot under Tiger, ktraee doesn't disappoint. Hie 
‘-d’ switch immediately starts tracing descendants of the process 


you specify. A nice alternative is the -a' switch, which will trace 
only newly created child processes (created after you begin 
tracing). This is exceptionally handy if you want to trace a 
process that is a launchd child whose "OnDemand” flag is false 
in other words, launchd will keep it alive by restarting it, if it 
goes away. A perfect example is lookupd: how do you trace 
this cleanly? Use the L d' switch: 

§ ktraee -p 1 -i : killall lookupd 


Here, we trace launchd and whatever it spawns - but we know 
it s going to re-spawn lookupd pretty soon, because we're going 
to kill it off. Check the process list with ps, and when kx>kupd 
shows up again, stop tracing with ktraee -C. When you look 
at the results with kdump, you can see the switch from launchd 
to lookupd: 


2/414 launchd CALL setaid 

27414 launchd RET eetsid 274l4/0x6bl6 

27414 launchd CALL sigpracinask{0x3 . Oxf Q101c54,0) 

27414 launchd RET sigprncmaak 0 
27414 launchd CALL setpriority(0,0,0) 

2/414 launch^ RET setptioriLy 0 

27414 launchd CALL exec ve [0x10/d4,Oxl0644►0x300leO) 

2/414 launchd NAMI "/usr/sbin/loQkupdr 
27414 launchd NAMI ^/usr/lib/dyld" 

27414 Inokupd RET exeeve 0 
27414 lookupd CALL 

_sysctl(Cxbffff9cc ,0x2 , Oxbff f f9d4,Dxbffff9c8,Ox8fe4391c,0xa) 


27414 lookupd RET _j»yae’ts (J 
27414 lookupd CALL 

_sysctl [Oxbffff9d4♦0x2 h SxSfe5899c, Gxbffffa/8,0,0) 

27414 lookupd RET _sysctl 0 

27414 lookupd CALL 

_syscil(Gxbffff9cc,0x2 .Oxbffff9d4 , Gxbffff9e8 t 0x8fe45948,Gxd) 

27414 lookupd RET __ayseLl 0 

2/414 lookupd CALL 

_sysctl(Oxbfiff5d4.0x2.0x8fe58998u Dxbfffla/8»0,0) 

27414 lookupd RET _sysct 1 0 
27414 lookupd CALL open(0x191c t 0*0) 

27414 lookupd NAMI "/usr/lih/libobjc,A.dylib" 

27414 lookupd RET open 3 

2/414 lookupd CALL fatal(0x3.Oxblffi95D) 


As 1 mentioned, ktraee might stay at the bottom of your toolbox 
for a while, but in certain cases, there is no substitute. 

Homework 

Over the course of this series, we’ve looked at many 
different troubleshooting techniques and utilities. But wait, 
there's more! More than I can cover, unfortunately. If ktraee 
gives you happy dreams of watching a program inn, how about 
interaction? I d be remiss if I didn’t mention gdb, die GNU 
debugger. Available on OS X as part of the Xcode installation, 
giib will let you be in control of any application. There are 
some great documents to get you started, including: 

Richard Stallman’s, “Debugging with gdb” 
<http://developeLapple.corn/documentationfl3eveJoperTools/gdb/gdb/ 
gdb_toc.html> 

Apple Computer's Technical Note 2052, "Getting Started 
with gdb" <http://developer.apple.com/lechnQles/tn/tn 2032, html> 

Apple Computer, "Using gdb" 

<http://developer.apple.com/documentation/DeveloperTools/gdb/gdb/gdb_t 
oc.html> 
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their customers, prospects, and vendors. Few small companies or even departments 
of big companies have the toots they need. 

Now Up-to-Date & Contact might just be the calendar and contact software for you. 
It's Iime4e$ted and used by more Mac-based companies than any other solution. And 
it's cross-platform-avaitable for your PC users, too. If s s easy to inslall and manage and 
simple for your employees to understand ond use. 

Using Now Up-to-Date & Contact you can schedule meetings for multiple users, view 
multiple, simultaneous calendars, and reserve rooms and resources. You can share 
contact information about your customers, prospects and vendors. And using our free 
server software you can set it up in minutes ond share with users in the office or from 
anywhere with an internet connection. 
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Salvation Awaits You. 


Convert Now. 

Change the way you live, work and play. Convert to Razer 
PrajSolulions™ for faster speed, more accurate control, betler 
response and superb precision. In essence, increase your 
produclivity. It is the Way to perfection. Born from a marriage of 
form and function, the ProjClick™ vt .6 is a godsend. 


Apple Computer's Technical Note 2030, “Using gtib for 
MacsBug Veterans’’ <http://developer.apple.corn/technotes/tn/tri2030.hliTil> 

Breathe Out 

So closes this scries on troubleshooting OS X, Hope it 
transforms the way you attack problems and get answers to 
questions when dealing with OS X, Despite all of these greul 
tools, there are issues that can lie solved mom easily and 
efficiently with a fresh install - and there will always be nasty 
little things that only the programmers at Apple can deal w r irh 
effectively. Now, however, there will be a host of new things 
you have insight to. 

I missed recommending a "media of the month" in June, so 
1 need to make up for it this time. A college professor of mine- 
made me read The Mythical Man Month" by Frederick P. 
Brooks back in the day. While I really just wanted to dive into 
some aide, 1 had then, and still do have tremendous respect for 
this professor, so 1 begrudgingly read it. It’s a text that has stuck 
with me to this day. IPs now available tit a 20^ Anniversary 
edition. If you've never read it, I highly recommend it. For 
those that still do want to 4 jusi geek out 1 , 1 suppose 1 should 
mention some sys-admin-y kind of reading, I've mentioned in 
the past that you can rule the universe if you know regular 
expressions, so r let's get everyone back on track. 44 Mastering 
Regular Expressions" by Jeffrey H. K. Friedl t published by 
O'Reilly really will get you on the right track regarding the 
basics, and all of the things that tend to trip people up with 
more complex regex. 

July! Ready for WWDC? Whether or not you're going to be 
in San Francisco for the event, I think there's a lot of excitement 
this year, and you’ll be able to live vicariously through MacTedi, 
if you need to! I will lx- attending, and hope to meet up with 
readers tilcl and new alike. Send along an e-mail if you’d like 
to meet up and shake hands, or, if you'd like to introduce a new- 
author for Mac lech. In person or in print, see you next month! 

References 

Just about everything at http://deve3oper.apple.com 

The respective source and man page For each utility 
mentioned. 
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MICROSOFT | MAC IN THE ENTERPRISE 


Entourage 
Exchange Account 
Configuration 

Understanding the details of Microsoft Entourage 2004 



Exchange account configurations 





Introduction 

Entourage provides two methods fur configuring 
accounts: manually via the Account Settings dialog or 
through the Account Configuration Wizard, a simple tool 
iluit automatically detects your network's configurations 
and configures an Exchange account accordingly. 
Understanding how these methods work is very useful for 
i ro u J > I esl u x >t i ng depi t >y ntent 1 ieadaches. 

Navigating the Account Settings 
Dialog 

Entourage uses WehDAV, the same technology 
underpinnings as the web-based Outlook Web Access 
(OWA), to communicate with the Exchange server. As a 
user, if you can access your Exchange mailbox through 
the web browser, you should be able to configure 
Entourage to synchronize with Exchange. From the 
administrators perspective, this means that no further 
work is required in order to support Entourage if OWA is 
enabled on your Exchange server 

To configure or create an Exchange account in 
Entourage, use the standard Entourage account manager 
at menu path Tools : Accounts, click on the Exchange 
tab, and press the New toolbar burton. 



Figure 1: Account Settings 
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Hie Account name field merely represents how the 
Exchange account will appear throughout Entourage. The 
contents of tins field tlo not impaci how Entourage synchronizes 
or communicates with the Excliange server. Typically the field 
should lu* easily recognizable as conveying the relevance or 
location of the account. For example, with my Microsoft 
corporate account, I simply name my account Microsoft Name 
and E-mail address represent how outgoing e-mail addresses wall 
Ik generated and represented to recipients. The E-mail address 
field is also used in Entourage’s mailbox discovery process 
detailed later, 

Hie Account It), 

Domain. anti 
Password are the 
Active Directory 
credentials of ihe 
account whose 
mailbox Entourage 
will synchronize. 

Within many 

organizations, you may recognize these credentials by logging in with 
a domain name\account ID If you save your password using the 
Mac OS keychain, it is important to tememlx-r that each time you 
change your password, you need to return to Entourage's account 
settings and update your password. While Entourage dex^s not allow 
you to change or reset you: password from within Entourage. 
Entourage will notify you that a password will soon expire. 

In the simplest configuration, the Exchange sender field 
merely needs to contain the host name of the Exchange server 
Entourage will conned to for mailbox synchronization. If the 
user's mailbox is later moved lo a different Exchange server, 
Entourage should Ik* redirected to the new location and the user 
will not need 10 update the Exchange server field's contents. 

Entourage's mmllx>x discovery process is one of the most 
common issues that result in an Exchange account failing to 
conned with llie server When first connecting to an Exchange 
mailbox, Entourage attempts to locate the user’s mailbox 
through a combination of the left-hand-side of the user's e-mail 
address, and the Exchange server field’s value. In most cases, 
Entourage attempts to find the users mailbox beyond the virtual 
root with the left-hand-side (LHS) of a user's e-mail address. In 
ihe e-mail address aruff@microsoft.com. Entourage will look for 
an Exchange mailbox named aruff. 

The virtual root is the first subcomponent of the URL used 
by Entourage when communicating with the Exchange server. 
In the default Exchange deployment, the virtual root is 
/exchange/. Entourage will always assume the default virtual 
root is unchanged. If your organization has modified the virtual 
root, you may override this behavior by entering a custom virtual 
root within the account's Exchange Server field For example, if 
your Exchange server had a custom virtual root of /owa/ and 


Server Name 


Mailbox 


! t * https,//mail.microsoft.com/exchange/aruff/lnbox/ 

i—M—l—M ^ 

Virtual Root 

Figure 2: Components of Exchange Mailbox URLs 


mail.example.com was your Exchange server, you should enter 
mail.example.com/owa/ in ihe Exchange server field in order for 
Entourage to l>egin synchronization, 

In some organizations, particularly those supporting a 
variety of legacy e-mail and directory configurations, this poses a 
problem. Often limes, such organizations name Exchange 
mailboxes using the user’s account alias (the default value when 
creating an Exchange mailbox), but assign users much more 
huinan-readable e-mail addresses. For example, instead of 
amff@rnicrosoft.com. the user knows their e-mail address as 

more along the lines of 

andyjuff@microsoflxom. 

The Exchange Server 
field is again key to 
overriding the methods 
Entourage uses to 
discover a users mailbox. 
When the user's mailbox 
name differs from the 
LHS of their e-mail 
address, placing the full path (server name/virtual rool/mailbox 
name) in the field, will override Entourage s mailbox discovery 
behavior, forcing Entourage 10 look directly at the provided path 
for the users mailbox. 

Often times, getting the Exchange newer field correct is a 
process of understanding the relationship between Entourage 
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and Outlook Web Access (OWA), The simplest method for 
configuring an Exchange account in Entourage is to log into 
OWA* copy the resulting location in Safaris Address Bar up 
until the first mailbox folder, and pasting the resulting text in 
the Exchange server field of your account in Entourage 

Edit Account 

Account Sett mg* Options Advanced Delegate Security 

Public Folder Set!mg* —, __— - 

Public folder* server 

Thin server It Jlto used 'or free/busy intornutjon. 

^ This DAV service requires a secure connection (SSL} 

_Override default DAV port MJ 

Directory Smtiiff _ 

LDAP server dr mteroseft eem 

0 Hilt server requires roe to log on 

^ Hii* LDAP server requires a secure connection (SSU 

_) Overrule default LDAP port 526® 

Mastirmiro number o# results to return IGM ‘ 

Search bate 


Cancel ( OK ) 

Figure 3: Advanced tab 

The Advanced tab provides further configuration for 
Exchange fund tonality that is not required in order to 
.synchronize wiili Entourage, but many users find imponanf: 
public folders and access to the global address list. 

The Public Polder server provides both access to public 
folders and free/busy information. Entourage may 
synchronize any calendar, address book, or message public 
folder. If your public folders are replicated across a 
collection of servers, Entourage will follow redirections to 
die appropriate server. If you would like a regularly 
accessed public folder to he synchronized for offline access, 
the public folder should be added to your public folder 
favorites simply by dragging-and-dropping the folder into the 
Favorites subfolder of the Public Folders folder of your 
Exchange account in Entourage. 

When scheduling a meeting, free/busy information is used 
to share with others what time you are available to meet. 
Entourage does not generate and publish free/busy information. 
Instead, the Exchange server detects changes in a calendar and 
automatically updates the corresponding free/busy information. 
If another users free/busy information appears dark grey within 
Entourage when scheduling meetings, it is often the result of an 
incorrectly configured Public folders server address. 


For access to the corporate directory or Global Address List, 
Entourage uses the LDAP services of an Active Directory domain 
controller The LDAP Server field is the host name of a domain 
controller Entourage will query. Entourage typically queries the 
Global Catalog of a domain controller for directory information 
with default pons of 3268 and 3269. If you do not know the 
name of your domain controller, you may use* the same “dig* 
command line query detailed later. 

In order for users to lie able to browse the contents of the 
directory, Entourage uses the LDAP Virtual List View (VLV) 
control introduced in Windows Server 2003. For Entourage 
users connecting to Windows 2000 domain controllers, they wilt 
only he to search the contents of the directory. 

Dissecting the Account Configuration 
Wizard 

The Account Configuration Wizard provides a simple 
mechanism for configuring a new Exchange account without 
requiring the user to know anything other than their Active 
Directory login credentials and e-mail address. It is important to 
understand how Account Configuration Wizard works so that 
you might tweak your network configuration to ensure its 
success as a low cost method for deploying Entourage as an 
Exchange diene 


r % Account Setup Assistant 

-* 

Set Up a Mail Account 

© 

This assistant will automatically determine your account settings 
based on your e-mail address. Type your e-mail address below. 

E-mail address 


aruff^m icrosoft.com 

d) 

M My account is on an Exchange server 


User ID aruff 

Domain msft 

Password ..^ 


Click the right arrow to continue 


Configure account manually 

' ipE 


Figure 4: Account Configuration Wizard 


The wizard follows a three-step process for automatically 
determining the user's account settings: I) finding a domain 
controller, 2) determining the Exchange server that hosts the user s 
mailbox, and 3) connecting to the server to begin synchronization. 
It is important that the users Network sellings in System 
Preferences are properly configured with the appropriate search 
domains and DNS server, as the combination of the two values is 
critical to Entourage's ability to find servers on a network. 
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In order to find a domain controller, Entourage uses the 
DNS service discovery mechanism to find LDAP-based services 
on the currently connected network. If Entourage is unsuccessful 
at finding, or finds the incorrect domain controller within a 
network, often times it is easiest lo debug the DNS configuration 
of the machine using either the dig or nslookup command-tine 
tools to perform a DNS query similar to that issued by 
Entourage. In TermLnaLapp, execute dig 

_ldap._tcp + searc/? + c/omam: 

aruff;~ aruffS dig ldap*_tcp.iBicrnsoffc 

; <<» DIG 9.2,2 <<>> _]d^p,_tcp,mlcrqaoft, com 

; : global Options printcnid 
Gqt answer: 

:: »LJEADHK«- opcode: QUERY, status: NOERROR♦ id: 

36646 

;; flags: qr td ta; QUERY: 1, ANSWER: 0, AUTHORITY: 

1. ADDITIONAL: 0 

QUESTTON SECTION: 

:_]dap,_tcp.(nit:rosoft.com. IN A 

;; AUTHORITY SECTION: 

tuicrosoft, com . 3595 IN SOA dc.mieroeof 

hosttDaster.microsoft.com* 11896502 900 600 86400 3600 

Query time: 70 msec 

;; SERVER: 157.57*195 *29#53(157 * 37 *195*29) 

WHEN: Mon Jun 12 22:46:37 2006 

;; MSG SIZE revd: 118 


in the above results, the DNS server returned that 
dc,microsoft.com provides LDAP services. In this case, 
dc.niicrosoft.com likely refers to many different domain 


controllers. Often organizations use DNS to have a single 
host name point to a series of servers, allowing clients such 
as Entourage to quickly rollover to any of the servers 
depending on uptime and server load. If the DNS query 
returns more than one domain controller, Entourage chooses 
the appropriate domain controller based on priority relumed 
in the DNS query. If the priority value of two or more 
domain controllers match, Entourage chooses the first 
matching domain controller. 

After discovering a domain controller, Entourage connects, 
binds, and queries the Active Directory via I.DAP for the 
homeMDB attribute of the user's directory entry. The 
homeMDB attribute contains the host name of the Exchange 
server lhaL stores the user's mailbox. Further, Entourage will set 
the Directory Service server field for the account to the 
discovered LDAP-providing domain controller. 

Failure to discover the homeMDB attribute typically is the 
result of Entourage's inability to find the user object in the Active 
Directory, If you have access to a Window's machine, it may be 
useful to use the LDP.exe tool in the Windows 2(KX) Support 
Tools kit to connect lo the LDAP service returned by the DNS 
query in step one, and ensure the user s Active Directory object 
is replicating properly to the target domain controller and that 
the homeMDB attribute is returned correctly. 

Once Entourage knows the homeMDB value, Entourage 
connects to the server via WebPAV, and attempts to locate the 
user’s mailbox. Once the Entourage locales the mailbox on the 
server, Entourage parses out HTML generated by Outlook Web 
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configurable user interface. 


We're a good choice even if you only need one of these, but if your 
business operations embrace two or three, you'll love what we can 
do for you. 



User roles determine access privileges and which (if any) 
tools are presented on login. Blogs are used extensively 
to support publishing, information and knowledge 
management. Wikis wilt be available in a tate- 
summer update. 




Web Content/Site Management 
Document Library 
Project and Shared Blogs 
News Editor 


- Users, roles and relationships 

- Simple CRM 

- Social Networking 

- Profile & Personal Slogs 


NetTeam Server is available for Mac OS X Server, Linux and 
Windows platforms and supports all leading web browsers. 
A Web Services API allows tight integration with other 
systems and single sign-on. We also offer a Java mobile 
client which can be tailored to support mobile workforce 
applications. 

It has been proven in deployments serving over 10.000 
users and version 2 launches at the Collaborative 
Technology Conference in Boston. June 19-22 
(WWW. ctc2006. com). 
















Access to the locution of the public folder server. Typical causes 
of failure at this step in the configuration wizard are either 
Entourage’s difficulty in locating the user's mailbox on the server 
or the server is inaccessible on the network (e.g. incorrect search 
domains within the Network settings of System Preferences). If 
all succeeds, the account configuration wizard will exit and the 
user will begin to see the contents of their Exchange mailbox 
synchronizing with Entourage. 

Seamless Traveling; Synch Entourage 
without VPN Access 

Taking advantage of the rich experience and offline 
capabilities of Entourages Exchange synch need not he limited 
to your office. A benefit of EnLourage using the same 
underlying technology as OWA to communicate with your 
Exchange server, Entourage may synchronize your Exchange 
account from any machine that is able to access the same 
mailbox in a web browser through OWA, If you are able to go 
home, launch Safari, and check your e-mail using OWA, then 
you should also be able to configure Entourage to connect to 
your Exchange server and synchronize while at home, just as 
you would in the office. 

For laptop users, this capability provides offline access 
for productive e-mail triage on the airplane or quick access 
to a contact s phone number, even wtien no wireless network 
is available. Personally, I configure Entourage to always 


point to the corporate OWA servers. This allows me to dash 
off to a local coffee shop for several hours of uninterrupted 
focus or connect to the airport's wireless network when 
traveling, all the while seamlessly synchronizing my 
Exchange account with Entourage without once mucking 
with VPN access—it just works. 

To configure Entourage to connect to the OWA server, 
place ihe name or she server you connect to in Safari within 
the Exchange server field. For example, if you type 
https://mail.example.com/ in Safari to access your Exchange 
mail from within your web browser, enter 
hltps://mail.example.com into the Exchange server field of 
your Entourage Exchange account (Entourage will 
automatically detect if your Exchange server uses a secure 
connection and toggle the “use SSL” cheek box as necessary). 
For public folders and free-busy information, you may find it 
easiest to browse to your public folders within OWA, copying 
the from portion of the resulting LJPL in the Address Ban 
Under the default Exchange server configuration, public 
folders are accessible under the /public/ virtual root (e,g, 
https://mail.example.com/public/}. 

Generally, few organizations allow applications outside 
their trusted networks to access domain information via 
LDAP. As such, both the Global Address List and Account 
Configuration Wizard will fall to work in Entourage. If 
aivvays-accessible Global Address List is critical to your 
organization, you may consider configuring Microsoft Active 
Directory Application Mode 

(h 11 p://w ww. m i c re >st > ft. ct) i n / w i n d o w sse rve r2003/ a dam/), to 
host the GAL and provide lightweight LDAP services over a 
secure connection. Some third party tools, such as 
E n tou rage ABM e n u , provide a method for quickly searching 
your GAL through Entourage without requiring LDAP 
connectivity. 

While Outlook and Exchange 2003 deliver simitar 
functionality in the form of MAPI- RPC, Entourage 2004 users in 
both Exchange 2000 and 2003 environments may configure 
Entourage to synchronize without ever needing to worry about 
VPN access. 

Conclusion 

Entourage uses a variety of technologies to communicate 
with the Exchange server, sometimes making deployment a 
challenge. Understanding how each of these technologies 
impacts Entourage is often key to forging a plan for deploying 
Entourage within your organization. 
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Taking Advantage of The 
Intel Core Duo 
Processor-Based iMac 


How to make your applications run faster 


Introduction 

This is the first of a three pan .series that will address the 
most effective techniques to optimize applications for the 
Intel® Core™ Duo processor-based Macs. Part one introduces 
the key aspects of the Core Duo processor, and exposes the 
architectural features for which tuning is most important A 
data-driven pertbrmance methodology using the software 
development t<x>ls available on a Mac to highlight tuning and 
optimization opportunities fora variety of applications is then 
described at length, Intel Core Duo processors feature two 
execution cores and each of the cores is capable of vector 
processing of data, referred to as the Intel® Digital Media 
Boast, which extends the Single Instruction Multiple Data 
(51MD) technology. Hie second part of this series outlines how 
to take advantage of SIMD by enabling veetorization In the Intel 
Compiler. Hie final part of this 3-pan series provides readers 
with the next level of optimization by taking advantage of Ixxh 
execution cores in addition to SIMD, We will cover auto- 
parallelization, where simple loops am l>e rendered parallel. 
And finally we will cover OpenMP, which are powerful user- 
spedfied directives embedded in source code to automagically 
tell the compiler to thread the application. You will love how 
easily you can thread applications while at the same time 
maintaining fine grain control of threads, 

In this article, advanced and innovative software 
optimizations techniques supported by industry-leading 
compilers arc addressed These optimization techniques are 
used in ihe field every day to get better performance. Key 
topics will lx: illustrated with C++ and Fortran code snippets. 

Intel Core duo processor 

There is a rumor going around that Apple Macs now use 
an Intel processor, and a very happy Intel processor at that! 


By Ganesh Rao and Ron Wayne Green 


All humor aside, we know that the Mac'lech community is gaining 
a very sophisticated understanding of the details of the Intel Core 
Duo processor. We want to call out features in the processor that, 
based on our experience, are most likely to increase the 
performance of your application. Stated differently, in this section 
we call out processor features iltai ran be leveraged to extract 
tetter application performance. The Intel Core Duo processor 
includes two execution cores in a single processor. Please see 
Figure I. Each of the execution cores supports Single instruction 
Multiple Data (SIMD), which involves performing multiple 
computations with a single instruction in parallel. Please see 
Illustration 2 for a diagrammatic representation of SIMD. 



Figure l: Intel® Core * Duo processor architectue 



Figure 2: SIMD performs the same operation on multiple data 
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Applications that arc most likely to bcnefii from S1MD arc 
those that can be characterized as loopy*. S1MD is quite 
commonly seen in programs that spend a significant amount of 
time processing integers and/or floating point numbers in a 
loop. An example of this is a matrix-multi ply operation. Intel 
Streaming S1MD Extensions (S$K) t and the AIM Alliance AltiVec* 
insi run ions are example implementations of SI Ml). In a 
subsequent article, parL 2 of this 3*part series, we will get an 
opportunity to share our best practices to taking advantage of 
the SIMD processing capability in your processor, 

SIMD extracts the best performance of a single core. Taking 
this to the next level, it is obvious that one needs to keep both 
cores busy to get maximal performance from an application, 
Tfie most optimal way of taking advantage of both execution 
cores is to thread your application. Wc will share some of our 
best known methods to thread applications in the third part of 
the series. We will wrap up our three part discussion by 
highlighting innovative compiler technologies. 

Drawing the baseline 

The start of any performance optimization activity should 
be the clear definition of the performance baseline. The unit of 
ilu i baseline could be either transactions per second) or more 
simply, the run-time of the application. Our experience is that 
we are setting ourselves up for failure if we do not have a clear, 
reproducible understanding of the baseline. Having a 
reproducible baseline also means dearly defining your 
benchmark application with the correct workload that is 
representative of anticipated usage, it may be worthwhile at this 
stage to consider if you can peel out a pan of the application 
you wish to examine and wrap a mainf) function around ii. This 
technique allows you to observe the behavior of the section of 
the application of most interest. You can then use the 'time 
utility to measure the time spent by the program. In most 
production applications, it is difficult to completely separate the 
kernel that we wish to observe and improve performance. In 
these cases, it may be easier to insert timers in your axle as 
shown Mow; 

Example; 

/‘ Sample Timing */ 

#iitclude <etdio.h> 

^include <stdlib.h> 
tfincltida <tiine,h) 
int main(void) 


resolution of the dock is not fine enough for measuring a small, 
fast-running section of axle. 

An alternative is to use the rdtsc instruction (Read Time 
Stamp Counter), The rdtsc instruction returns the elapsed CPI 
docks since the last reboot. This allows significantly higher 
resolution than using the 'time* API. Intel compilers implement 
a convenient intrinsic ^ that makes it easy to measure rdtsc. 


tfinclude <stdio.h> 
int maintvoid) 
t 

uint64_t start; 
ul.nt.64_t stop; 
Uint64_t elapsed; 


#if __INTEL_CGMFILER 
// Start ths counter 
start= tdtac(); 

//else 


//Code to be measured here 


U 

Ht _I NTF,I,_CGMPILER 

//Stop the counter 
stop=_rdtsc(); 
elapsed = stop - start: 


//Calculate the runtime 

elapsed = stop ■ start; 

printf("Processor cycles = %i64\n H * elapsed); 


As of this writing, in some cases, rdtsc may report a wrong 
Time-Stamp counter valued Using the technique descrifxxl above 
with alt.se does not work well if your thread switches context 
between the two cores, since the rimer is separate on each core. 

The other preferred alternative is to use the OS supported 
mach_absGluLy_time API abstraction. 

^include XCoreServices/CoreServieesJi> 

^include <mach/mach.h> 

//include <mach/mach 

int main(void) 

1 

uiriL64_L start; 

uint64_t stop; 

uint64_t elapsed; 

// Start the clock, 
start - mach_absolute_timed : 


c1ock_t start, finish; 
long loop; 

double duration. loop_talc; 
start * clockt); 

// CODE IX) BE MEASURED HERE 

// 

finish = clodtC); 

duration - (double)[finish - start)/CLOCKS PER_SEC: 
printf("W%2,3f seconds\n‘\ duration); 


While it is perfectly fine to use this ‘time* API for applications 
and sections of code that run for a sufficient duration, the 


//Code to by measured here 

// 

if Stop the clock, 
stop = raach_absoiute_time(); 

// Calculate the run time 
elapsed * stop - start; 

printf{"Processor eyelea ” E4\n" . elapsed); 
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In the measurements we did, while mach_abso 1 ute_time 
and rdtsc seemed to provide answers dial were dose, there 
were small deviations. We need to clarify that while it may be 
comforting to think that we are measuring at the accuracy of 
dock-ticks, die measurements come bundled with a lot of 
variances. Specifically, you cannot measure the latency of a single 
instruction or even a bundle of instructions using 
eidicr rdtsc or mach_absolute_time. In 
many cases, it is to die benefit of the programmer 
to set up I benchmarks that have a sufficient 
runtime between start and slop iinter. A sufficient 
runtime may be at a minimum on die order of tens 
or hundreds of seconds. 
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experienced with your application and its runtime behavior, ii 
is relatively easy to know the hoispots in your code, and 
where they occur during a typical run, Thus, a correct 
technique is to monitor your application's log output, 
determine when Lhe hotspot is slatted* stars 'Shark, and gather 
a profile over a sufficient length of time. 

Session 1 - Tim* Profile of Everything 


Hotspots in the code 


Once we have a baseline, a powerful 
alternative to hand peeling code and inserting 
timers is to run a profiler to identify the 
hotspots in your code. Shark^ is a powerful 
tool to help you achieve this. We are not going 
to go into too much detail about using Shark in 
this article, since it is covered extensively 
elsewhere* Additionally, Shark can do much 
more than what we are ealling out here. At a 
high level. Shark allows you to get a time 
profile which is based on sampling your code 
ai fixed time intervals. Depending on your 
application, you may see profiles that are relatively flat, 
meaning there are no particular areas in your code that are 
exercised more than others. Or you could see dear peaks, 
which would mean that your program exercises a smaller 
portion of your code more extensively. Shark am dump lhe 
time profile by threads allowing you to see the profile of your 
code for each of the individual threads. 

As a quick guide, start Shark from the hard disk ai 
VDeveJoper/Applications/Perfc>nuance Tt>ols/CI 1UD ^ Figure 
3 shows the start of a Shark session. 
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Figure 5: Shark info window 


Don’t hit the Shark “start 11 button yet. First, start the 
application you need to profile. Hit the “start” button in Shark. 
Once started, Shark will automatically stop after 30 seconds or 
you can choose it) hit “Slop", Note that it is a good idea to 
take Shark snapshots over slightly extended periods to get 
repeatable results. Also, make sure that you have stopped 
running other applications so as to not pollute the profile 
gathered. Depending on your application, you may choose to 
stan after your application has "warmed up” or progressed 
beyond startup initializations and initial file IQ. if you are 


Figure 4; Shark Time Profile 

Note that at this stage it may si ill be to your advantage to insert 
limers in your code with print statements as we saw in rhe previous 
section around the areas of axle that are of interest to you. 

Using the techniques highlighted above, we can gain insight into 
the operating characteristics of programs, and understand where we 
am make a difference. We am generally think of performance 
improvement for die serial portion of the code, but also consider 
threading the code and consider performance improvements due to 
threading. We am do u Ixtck of 1 lie-envelope estimate 
of the potential degree to which the performance of 
1 die overall application can lie optimized due to serial 
improvements in the code, using Amdahl's law, as 
illustrated below. 

Let us say that the hotspot or the section of the serial code 
we are optimizing is Liking up fraction x of the total program 
run time. Then a speedup of fraction y on this section of the 
code should theoretically improve overall performance by 1 / 
({1-30 + x/y). As a limiting condition, the theoretical maximum 
speedup possible is l/(l-x). The limiting maximum speed up 
would occur if the section of lhe code we are considering takes 
zero time to run. As an example, if a section we are Focused on 
is raking 50% of the total run time (x - .5), and we provide a 
doubling of speed (y « 2) in this section, we can expect an 
overall speedup of 1/L5H5/2)) - l/,75 = L33 or 33% speedup 
of the overall performance. As a theoretical maximum, we can 
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get a 2x performance gain for the whole application where 
fraction x = .5, when speedup y tends to infinity, 

Once we determine where we can make a difference, and how 
much of a difference we can make, we can then look at ways 
and means in which to make improvements. Please note that 
while in this article we are looking at serial improvements, in a 
future article we will look at estimating and planning for parallel 
improvements in detail 

One other related note before we end this section. Note that 
compilers as part of optimization can completely eliminate 
chunks of code it determines w ill not effect the outcome of the 
final program, also referred to as dead axle elimination. While 
this is a very good thing for real applications, you need to lx* 
careful to ensure that the compilers do not throw away the 
performance kernel you have extracted in a snippet program in 
order to examine. Typically an output statement of the result will 
lx* all that is required to ensure that the Compiler dt>cs nut 
eliminate the small section of axle. 

COMPILERS 

Tills may .sound like a cliche, but perhaps the first and the 
foremost tool at your disposal to make a performance difference 
should tx j your compiler in addition to the GNU (gee) Compiler, we 
will lx discussing using the Intel® C++ compiler in the following 
sections. Both compilers Integrate into Apple's Xcode Integrated 
Development Environment, and am binary anti source compatible. 
Fortran developers cun use the Intel® Fortran Compiler for Mac OS 


or several GNU options including g77, gfonran, or G9T While GNU 
is invoked with the gcc' command line. Intel Compilers are invoked 
wirh the ‘ire 1 command line for C/C++ and the ifort' co mmand for 
Fortran. While the examples tliat follow use the Intel C/C++ 
compiler, the same options apply to the Intel Fortran compiler (ifort). 

Generally speaking, newer versions of the compiler 
optimize for systems running newer processors. You can verify 
the version of the compiler by using the -v flag. 

$ icc -v 
Version 9,1 
S gee -v 

Using built-in specs. 

Target: 1686 apple- darwinB 

Configured wilh; /prlvate/var/trnp/gcc/gcc- 
5250.obj-lZ/src/configore disable checking - 
enable werror —prefix—/usr -mtmdir^/share/man — 
enable~languages=c ,obic, C++-, obi - C++ -program- 
transf orm -name 61 / A [eg] l A . - j * $/s?$ / - 4♦0/ —with ■ gxx 
i net udr- -d i r=/include/c++/4 . 0.0 —build-powerpc- 
apple darwinS -with*arch—pentiurn -m -with- 
tune-prescott program - prefix™ -host=i686-apple- 
darwinB —target—1686 apple darwinS 
Thread model: posix 

gee version 4.0,1 (Apple Computer, Inc, build 5250) 

Here Ls a very brief run down of the general optimization 
options available with the compilers. OCJ (gee -Ofi or ice -QQ) 
means no optimization is turned on. While it may lx? helpful to 
have GO option to debug applications, your application will run 
at significant sub-optimal speed ai this option level. 
01 and 02 are higher levels of optimization. 01 usually makes 
optimization tradeoffs that result in smaller compile time 
compared to 02. 
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03 is ihe highest level of optimization and makes aggressive 
decisions on optimizations that require a judgment call between 
the size of the generated code, and the expected resulting speed 
of the application. 

We should note here that despite throwing the best 
optimization options, compilers can still use your help. As an 
example, let us look at an often overlooked performance hit: 
denurmaLs^ denormalized IEEE floating point representations in 
your code, can trigger exceptions that could result in severe 
runtime penalties. This is because denonnals may require 
hardware and the OS to intervene in operations using denormal 
operands. When your application frequently uses very small 
numbers, you should consider raking advantage of the flusb-to 
zero (also referred to as FTZ for short) feature. The FTZ feature 
allows the CPU to take denormal values in registers within ihe 
CPU, and convert those values to zero, a valid IEEE 
representation. FTZ is default when using SIMD. 

Consider the following example where denormals are 
deliberately triggered for illustration. Here, we look at the 
timing between gcc and icc for the following example: 

//include <stdio,h> 
main{) 

l 

long int i; 

double coefficient — ,9; 

double data * 3e-308: 

for (i-0; i < 99999999; i++) 

! 

data *“ coefficient; 

I 

printf%x\n", data, *{unsigned 
long*)&data); 



I 

$ g++ 03 dcneirmal ,cpp o gden 

$ time ,/gden 
0,000000 5 

real Ojh13,462s 
user 0ml2,676s 

syn OmO.041s 

$ Icr denortnal, cpp iden 

donormal, npp(8) ; (col, 9) remark; LOOP WAS 

VECTORIZED. 

$ time . / iden 
0.000000 0 

real OmO, 170s 

uaer OmO.I38s 

fiyis OmO, 006a 


Notice that since the loop was fairly simple, the Intel compiler 
was able to vectorize the loop, and therefore use SIMD. Because 
Flush To-Zero is the default when using SIMD registers, notice 
that the runtime improvement can be dramatic. We will dive 
into SIMD and au to vector! za non in more detail in the next 
installment of this series of articles. 

Next installment 

Now that we had a chance to go through the introductions, 
in Lite next installment, we will see how to pack a punch in your 
optimizations, without going through the tedious process of 
hand assembling instructions or even intrinsics. We will 
accomplish tills by taking advantage of the Auto-vectorization 
feature. And yes, if you have Altivec code or SSE instructions that 
you are intending to migrate to take advantage of Auto- 
veetorizalion. then the next installment is a must read for you! 

In the meantime, hopefully you will get the chance to visit with 
some members of the Intel Software Development Products 
team at WWDC. 

_ \\\[ 
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1 Intrinsics are C-ffke functions built into the compiler. 
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4 If you do not see the Shark application, that means that you will 
need to install CHUO. ftp the latest version from 
ftp://ftp.apple.com/developer/Tool_Chest/Testing_ 
_Debugging/Performance_tools/ 

5 When resulting floating point values have really small absolute 
values, such that it is smaller than what the hardware can handle, it 
is called a denormal value. 
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White Paper 


Lasso & PHP 

By Chris Tracewell 

A Closer Look at Two OS X Scripting Languages 


Introduction 

When the World Wide Web fust opened its d<xjrs to the public 4 
in I994 t most web pages were static texi flics. A new breed of 
programmers, called web masters, toiled away at their text editors, 
hour after hour, churning out HTML documents one at a time. 
Since then, a lot has changed. The vast majority of websites utilize 
server-side scripting languages ro dynamically generate pages on 
the fly. The result is tliai web masters can now build a framework 
for their site out of just a few scripted files, ‘file mast common task 
for these scripted files is to “pull" information from a data source 
such as a database, to populate themselves with relevant data. 
Tints, a single scripted file, such as a product page, can lx* used to 
serve a unique page for each record 
in a product's database. 

Over the Iasi decade, there 
lias been a proliferation of server- 
side scripting languages, and the 
debate over which is the best can 
be found in blogs and forums 
throughout the web. This article is 
a look at two such scripting 
languages, PHP and Lasso, Both 
of these languages have unique 
histories that can be traced back 
to a single programmer that just 
wanted to create a better way of 

doing things. While the 

similarities are many between the two, .so are the differences. 

About PHP 

PI IP, which originally 
skxxJ for Personal Home 
Page Took, and now stands 
for Hypertext Preprocessor* is 
the mast popular server-side 
scripting language in the 
world, largely due to the fact 
that it is free. Originally written as a small set of Perl scripts, PHP 
evolved through several iterations, and is now a very last and 
feature-rich language written in C. Pi IP Ls an open sourc e project, 
and is highly visible throughout the web. PHP currently stands at 
version s.O and gained a whole hast of upgrades when it stepped 
from i lo 5. One of the major changes was a new Object Model that 


brings object-oriented programming, as well as, better speed and 
functionality. Also included are a good smattering of new functions, 
including a set of new' array commands and XML implements. 
Besides plenty of nifty functions for working with your JtTML hies, 
you also have the ability to create PDF files, manipulate images, 
send emails, and work with XML, among other tilings. 

About Lasso 

Lasso is a server-side scripting 
language that was originally developed in 
1995 as a means to connect Pilemaker 

databases to 
web servers. 

While its 
roots began 
in the Mac 
a n d 
Pilemaker, 

Lasso has 
evolved into 
a muiti- 
p t a L f o i in 
object- 

oriented scrip! mg language that 
fully supports inheritance, sub¬ 
classing, and tag-overloading. 
Lisso has been object-oriented since version 5-0, and llius has 
had several revisions to refine its OOP model, allowing coders 
to painlessly write custom types, tags and data sources in plain 
old LassoscripL While Lasso has been around for nearly the 
same amount of time as PHP, it is a lesser known technology; 
however, ir does have a very strong and active community of 
developers that continues to grow. Lisso is used in nearly every' 
sector of the Internet from e-commerce to banking applications 
to blogs, education and corporate sites. 

OmniPilot announced Lisso 8,5 in Febtiiaiy, and many new 
features were detailed. Among the more interesting new features 
announced, were a set of AJAX lags and advanced charLing capabilities. 
11k* Lasso AJAX tags, allied IJAX, make ixcsic AJAX functions possible 
by just setting a few tags and fxuameters. To do advanced charting 
functions you'll lx* aNe to Ixty Ckirt FX, an advanced enterprise-levd 
graphing solution. like PHP, Lisso can also create and manipulate 


Both of these languages 
have unique histories that 
can be traced back to a 
single programmer that just 
wanted to create a better 
way of doing things. 
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images and PDF In addition. Lasso lias a full array if email lags fcx' nu 
only composing and sending emails, but also opening connections to 
mail servers to receive email messages - thus giving you the ability to 
program your own mail dicnis in lasso. 

So What’s The Difference? 

Disclaimers 

11 you're a PHP or Lasso junkie, or for that matter someone 
who is just getting into server-scripting languages, you’d 
probably want to know how these two languages differ t will 
tell you that I'm not here to drill down to every last technical 
detail, and declare one the supreme champion over the other. 
Rather, I hope to highlight the unique characteristics and 
capabilities of each language, as I see them, and then let you 
decide how ihey might til your needs. I’ll also confess that I'm 
not the ultimate guru in either language, and I si ill spend a good 
amount of time chunking through language guides and looking 
for web tutorials in order to solve tough problems- 

Now- that I have hopefully squelched the possibility of starting 
any technical flame wars, let me tell you that I have .scripted several 
websites in both languages over the last 5 years, and currently 
maintain several websites in both languages. 1 have built full blown 
e-commerce, order tracking, inventory management solutions in 
both, used Ixjth to connect with third party data services like UPS 
and credit card gateways, and used both to generate and read XML 
data, as well as reading and writing files lo and Ironi the system. 
Now that you know where I am coining from, let's jump in and give 
these two products a good looking over. 


Out of the Box 

It would be nice if we were able to simply compare Lasso 
and PUP based on speed, price, and a few functions. However, 
outof-the-box, we are talking apples and oranges. Beyond 
comparative functions, Lasso s standard feature sel differs quite 
a bit from FLIP’S, So, to get off on the right foot, let's look at the 
major “oui-of-the-box 1 ' differences between Pi IP and Lasso. 

Lasso is commercial and costs money for a deployment 
license (developer software is free), whereas PHP is free. The 
problem is you gel vastly differing features and abilities at those 
two price points, and thus you really cant make price pom I 
comparisons on a feature for feature basis. Lasso, Tor example, 
comes with the ability to compile standalone LassoApps that 
allow you to obscure your source code, and distribute your 
solution in a nicely contained package all the while speeding 
up your solutions overall performance. To do this with PUP 
you'll need Zend’s Zend Guard product, which costs $995 for 
an annual subscription [Ed. Note: ihere are a few completely 
open source optimizers that will also protect your PHP code, 
such as the Turek MMCache]. As we ll see later, Lasso also 
includes a lull blown administrative interface as part of its 
standard install. For PHP, you’ll again need to look at something 
like Zend's Zend Platform to achieve similar functionality. 
Further, by default lasso parses LissoSciipr down to byte code 
and caches compiled pages for excellent speed improve merits. 
With PI IP. youll need to locate and install a third party solution, 
of which there are both free and commercial solutions, to 
realize these speed gains, If you own multiple Lasso licenses, 
you can scale your solution through server clustering and 
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.shared session management PHP can do the same with Zend’s 
Zend Platform product. 

Hopefully, you can see that both technologies have some 
default differences that need consideration when comparing the 
two. For the purpose of this article, we will only lie comparing 
standard features, sans third-party add-on solutions that might 
give one or the other similar abilities. For the sake of this article, 
we'll assume that you can scale either with such options at 
relative prices. The goat is to see the core functionality of Ixilh 
as they arc 1 packaged and priced. 

Costs: Let’s Talk Dollars & Cents 

Development Costs 

Right out of the gate PHI 1 has one dear advantage - it’s 
free. Lasso, on the other hand, is a commercial product - ii 
costs money.., sometimes. What do 1 mean? Until recently 
developers had to purchase their own license to develop in 
Lasso, and then either find a Lasso ISP or hast their own 
solution, which, if you were running your server on a box 
other than the one you were developing on, meant you 
needed another license. With the latest release of Lasso 8.5 
(due out this summer), that all changes, OmniPilot Software, 
the makers of Lasso, now offer Lasso Developer, free to 
anyone who wants it. This is not a crippled version of Lasso 
that can't do all of the tricks of Lasso Professional Server, it 
is the exact same thing, In fact, when you install and run 


Lasso Professional Server 8,5 without a serial number, it 
simply defaults to Lasso Developer mode. The difference is 
that Lasso Developer limits the number of client connections 
to 5 IP addresses at any one time, and also limits the number 
of page requests to 1000 per minute. That’s more than 
enough for a development team to do their work, let alone a 
single programmer. 

Hosting Costs 

So you have your masterpiece coded. It’s ready for prime 
time, you’re ready to “go-live” - whafs ii gonna cost you? If 
you're hasting your own solution, you’re going to have to put 
down some dollars and buy a license for Lasso Professional 
Server, and that will cost you $649 ($399 typical upgrade). PHP, 
on the other hand, is free. A big difference, but if you're paying 
for the hardware and rack space or data line for your own server 
anyway, S649 is not likely the deciding factor. 

If your deployment plan, like many, is to host with an ISP, 
the monetary gap narrows considerably. PHP hosting packages 
are numerous and simple plans can get really cheap, downwards 
of S3, but l have found that spending between $6 and $10 is the 
more common scenario. While Lasso hosting is not as 
widespread, there are still a lot of options. You'll spend around 
$10 to $25 for basic plans with a couple of emails, a single 
MySQL database, and domain name. 

Connection Options: 

Playing Nice With Others 


Control real-world devices 




from your Mac with a wide va¬ 
riety of standard applications 
and programming languages 
such as: 

* REALbasic 

* AppleScript 

* Runtime Revolution 

* FileMaker 

* Ragtime 

* Xcode 

* C/C++ 

* Cocoa 

* Java 

* CodeWarrior 

■ Carbon 

■ MaxMSP 

* LabView 

* DirectorMX 

* 4th Dimension 

* and the UNIX-Shef! 

Simply buy one interface from 
the SERVICE USB series and 
control motors, lamps, relays. 
Log values like temperature, 
pressure or brightness. Get 
the status of switches, light 
barriers or reed-contacts. 


SERVICE USB plus * $465.48 


Custom made models, USB- 
POS accessories and special 
electronics are also available. 


Alt interfaces ships with a Well suited pre- and after 
complete SDK, drivers, sam- sales eMail-support is avail- 
pie apps and documentation, able as a matter of course. 


True, this is a Mac magazine, but in today's IT world, it goes 
without saying dial any technology that is landlocked to a single 
platform, with the exception maylxj of Microsoft products, is 
likely to become not only irrelevant but obsolete as well. So, if 
you develop a solution and a year later want to move it to a 
different OS or IT wants to transition to a new data source, your 
life will he a lot easier, if the scripting language you use can 
accommodate your needs. 

Operating Systems 

Luckily, both Lasso and PHP play nicely with others. Lasso 
can be installed on 08 X, Red Hal Linux, and Windows. PHP 
comes pre-installed on 08 X, and can also be installed on 
various flavors of Unix and Windows. 

Web Servers 

Lasso started out its commercial life as a plug-in to the once 
dominant Mac web server, Webstar. Since then, Lasso lias gained die 
ability to integrate with Apache and Microsoft IIS, and also has a 
J2EE Java servlet connector dial provides extended web server 
integration options. PHF also works with Apache, US and Webstar, 
and additionally supports a host of less prominent web servers like 
Sun. iPlanet and Netscape. Because the majority of pages on the 
Internet are served via Apache, and OS X comes with Apache 
installed (and IIS isn't an option on OS X), this article will assume 
an Apache configuration when referring to web servers. 
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Databases 

Database connectivity for IxXh Lasso and PHP are plentiful. 
Both speak to a broad range of SQL databases, including MySQL, 
Microsoft SQL Server PostgreSQL, Oracle and SQLite. Both also 
support connecting to data sources through open standards such as 
XML, SOAP, ODBC, and JDBC, although PHP’s Java integration 
seems to be a bit “experimentalat this point. Take a peek at 
flip.mt/mamud/en/refjatKLpbp to see what I am miking about. 
The comments on that page seem to suggest that JDBC support isn't 
currently for the faint of heart* 

Lasso also lias the unique ability to connect seamlessly to 
FileMaker Pro databases right out of the lx>x. While most would 
argue that launching a large e-commerce site using Filemaker as lire 
backend data source is probably not the best idea, there is a whole 


gonna have a hard time not going with Lasso. 

Administration: 

Install, Configure, Secure 

If you’re a command line freak that knows every Fmars 
command without looking at a single man (manual) page, then 
you tan skip this section because you'll be comfortable installing 
and administrating either PHP or Lasso. If, however, you're 
closer to a mere mortal like myself, who still stumbles through 
the docs when working in terminal, this section is vital 

it is likely no surprise that PHP and Usso install and work 
Ixdiintkhe-seenes* in the various OSes and web server 
integration environments they operate in. What this means to 
you is that installing and controlling their settings and behavior 


is a little more in-depth than simply pulling up a preference 
pane and clicking a few check boxes. 

Installing 

Lasso his always enjoyed the comfort of having a Mae-friendly 
iastaller package. PHP on the other hand used to lx somewhat of 
an adventure, often a treacherous one at that. Those days are 
mostly over now, for a couple of reasons, First t as of version 13, 
PHP is native to OS X, whereas Ixdore, it required a lot of shuffling 
and command line juggling to get things set up correctly. Second, 
PUP actually comes preinstalled on OS X. Finally, and most 
importantly, you cun download simple installer packages from sites 
such as httD:y/www,entroDvxh/software/macosx/php/ and 
hft p;//www.sgivgriQaistic5.CQrn/php4.php that take the pain out of 

installing versions of 
PUP that Apple hasn't 
released themselves. 

When installing 
either language, you 
will need to pay 
attention to the install 
notes and instructions. 
It is vitally important 
that the installers have 
the ability to place 
various files and 
directories in specific 
places, and that 
Apache be where the 
installer thinks it 
should be, in order for 
things to go smcxilhlv. 
This shouldn’t be much 
of a problem for most 
fresh installs. 

Configuring & 
Extending 

Okay, so you have Lasso or PI IP installed, now what? Well, 
the first order of business would be to make any special tweaks, 
maybe Install a custom PHP extension or Usso module In add 
extended functionality. While both PHP and Lasso allow 
programmers to write their own functions (called custom tags in 
Lasso) directly in the script files ihemsdves, youII eventually 
needy want to write and/or install pre-cum piled functionality that 
is available throughout your site, not just functions defined in 
scripts and associated include files. PHP and Lasso offer this 
functionality through different methods. PHP incorporates PHP 
extensions, written and compiled in C, that give programmers a 
robust set of extended functionality anil customization options. 
Lasso lets you utilize C/C++, java and LtssoScript to create new 
tags, data sources and types. 

Installing PHP extensions will require you to download or 
write the extension, compile it if it isn’t already, and then 
modify one of your configuration files for PHP or Apache: 


gamut of usefulness here. 
First, many companies and 
developers have a legacy 
with Filemaker, anil the 
need to access Filemaker 
databases on an intranet or 
on the web for various 
reasons does exist, iking 
able to keep your network 
diems' Filemaker, while 
aLso implementing access 
via a web browser Ls 
something many users 
need, Lasso excels 
beautifully here and 
makes connecting to 
Filemaker databases as 
easy as it’s gonna get* I can 
already hear the PHP guys 
chattering "Hey, we can 
do thm loo*" It is true that 
a PUP project called 
FX.php allows PHP to 
connect to Filemaker, but 
it isn't a part of the default 
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install, and after Gcx>gling around, doesn't seem Lo have a ton of 
momentum behind it. If you need serious Filemaker sup|x>rt T you’re 
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pbp.ini f bUpclconf or .btaccess, It may often be required to also 
re-compile PI IP itself to gain the functionality of a particular 
extension. Lasso will require you to write or download the tag, 
type or module, compile it if necessary (actually most 
downloaded Lasso solutions are pre-compiled) and then drag 
and drop it into the associated folder Inside your server s Lasso 
Professional Server folder PHP deprecated the ability to load 
PUP extensions on demand via the dlQ function in version 5. 
As a result, you must now specify which dynamically loadable 
extensions you warn loaded at startup in \hv.phjiini file. Lasso 
offers on-den land loading when you drag LassoApps and 
custom tag libraries into certain folders inside the Lasso 
t^ofessional Server folder, such items load on-demand when 
called from a scripL Further, any Lasso custom tags (equivalent 
to PHP functions) and LassoApps that are placed in your 
server’s LassoStartup folder will be automatically compiled 
and cached when the server starts up and available site wide, 
very nice. 

Administration 

When it comes to administering your server, Lasso really 
shines. As mentioned above, Lasso administrators can access the 
Lasso Administration pages (figure 1) on their web server and 
configure everything from database connections to security to file 
permissions, as well as monitor Lasso performance and even 
setup tasks on schedules. An administrator can even dictate which 
tags a user or group can or rani use. All of this is done through 
a nicely laid out web interface, and is included with the standard 


install. PI rP T s administration is confined solely to conflg files and 
server settings. That Ls by no means to say that administering PHP 
is limited or restricted, only lhal it does Lake a deeper technical 
understanding of your config file locations, layouts and 
parameters. It isn’t for the easily intimidated. 

Another area of interest is site administration. Both Lasso 
and PHP allow server administrators to assign certain control to 
site owners, so they can make configurations for their particular 
site on shared hosting solutions. PHP achieves this functionality 
primarily through the hraccess file, where web masters can mark 
up their Apache commands to control how PHP processes files. 
Lasso, on the other hand, allows server admins to grant 
administrative privileges to individual web masters to control 
their site(s) through the Lasso Admin interface. This is nice not 
only because users can make their own security settings, file 
permissions etc without bugging their ISP, but they can also 
check server logs for specific Lasso errors and setup their own 
events and LassoApps, 

Security 

Through its “Lasso Admin" pages, Lasso offers an extra 
security layer to web applications. Administrators can set up 
groups and users, and also define which data sources those 
users and groups can access, and what they can do to them, 
such as updates, selects, and deletes. A common strategy here is 
to code your front end Lasso pages with queries using a user in 
your group that can only perform select statements; and at the 
same time it is using a separate group of users for your backend 
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and intranet pages where trusted visitors access your site. This 
way, even if a username and password were compromised on a 
corporate w r eh sender, for example, the extent of any malicious 
activity would be greatly reduced. 

Of course, it can be said that setting up your MySQL 
security properly can reach some of the same goals in PI IP, but 
that is not completely the same, and here's why. If you setup a 
user in Lasso Admin, you not only designate what actions the 
user can take and what data sources they can connect to, 
including database names, tables, and even fields, you also 
specify the username and password for the databases, such as 
MySQL. This means the username and password for your 
database, as well as the database name itself, is never in a file 
on your server where web or FTP permissions may be 
compromised. Unlike the standard method in PHP of utilizing an 
include file for your database connection settings, the Lasso 
Admin pages store these permissions in its own secure internal 
database and controls database, and file executions on a per 
request basis. 

One final thought in the area of security is that Lasso enjoys 
a somewhat “out-of-view" advantage in that not many hackers 
are really aware of Lite language. This is similar in many respects 
to how Mac users have enjoyed fairly virus free computing 
because of the fact that Microsoft is just so much bigger and thus 
an easier target. With obscurity comes a bit of safety. If you 
Google 'PHP Hacking", you’ll get around 25 million fairly 


relevant results whereas a "lasso Hacking 11 search will return 
around 125 thousand mostly irrelevant results. 

Language Structures: Say What? 

Syntax 

Both PHP and Lasso have language structures that are similar 
enough that someone who is comfortable with one would be able 
to learn the other in a short amount of time. For me, it took a day 
or two to feel comfortable with PI IP after three years of using Lasso. 
That's not to say there weren’t a lot of trips to php.net to find the 
right functions, but learning how to declare variables, perform 
loops and conditional statements was not a huge leap. Both 
languages open their script blocks with similar syntax, PHP can lie 
opened with either <?php or <? while, Lasso uses 
<?lassoscript to identify its opening block. Both close with 
7 >. Lasso also offers the option of using the [ and ] brackets to 
execute iis code in smaller bits, which can come in handy in some 
situations, but for Lliis article well lx; using die Lassmcript syntax. 
Let's look at some simple code to see how the two compare. First 
let s look at a bit of Lasso code in hissoScript format. 

<?iassoscript 

// declare a variable 

var:*the variable 1 = 1 some text*; 

// concatenate more text 
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$the_variable +- * Mire text*: 

// COTditiqnal 

if: {Sthe_variable — '*): 

+ Empty’; 
else; 

"Nor Empty*: 

/if; 

y > 

The above code declares a variable, assigns a string value, 
concatenates more text onto the variable, and finally it does a 
test to see if the variable is empty and outputs a response to the 
HTML page. Now, let's look at how we would do this in PI IR 

<?php 

// declare, a variable 
$the variable = ‘some text': 


be initialised with either var: or variable: and can from 
then on be called using $. PHP, in contrast, simply allows you 
to set your variables with just $. While the PHP method is 
quicker, it is noL good practice and ean encourage new 
programmers to pick up bad habits* For instance, Lasso will 
throw an error if a variable is called that has not been 
initialized, making it easier to debug and secure your code. On 
the other hand, by default, PUP will just act as if the variable 
is empty, thus making it difficult to debug why or where a 
solution is failing. In addition, if reglster_globals is not 
disabled in the PUP configuration file, and variables passed 
using POST or GET methods, it can set variables that have noi 
been initialized, thus leaving a solution open to security risks. 
Lasso will only read FOST and GET data through its 
Action_Parara substitution tag, thus ensuring that such 
values are explicitly called for in the script. 


// concatenate mure Lext 
$the_variabiti .= ’more text*; 

// conditional 
if t$fbe,variable = ‘ *) 

1 

echo ‘Empty’: 

I 

else 

1 

echo ‘Not Empty 1 : 

I 


?> 


As you can see. the two languages have similar structures. 
The manner in which the two languages handle variables is 
probably the biggest difference. In Lasso, a variable must first 
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Talking to Databases 

Let's take a look at another common area of code in 
scripting languages, database queries. Lasso and PHP access 
databases differently. Lasso uses a database abstraction layer, 
while PHP utilizes database specific functions to directly access 
databases. Database abstraction layers provide the ability to 
code your scripted web pages while minimizing the dependence 
on one particular database vendor Let s say, tor example, your 
solution uses MySQL as your database today, bill in a year your 
company decides to switch to Oracle. Perhaps you're developing 
a solution for a client who uses PostgreSQL, but your 
development box is MySQL. Without a database abstraction 
layer, you will have a liLtle more work on your hands, as youll 
need to re-engineer any database-specific functions. 

Database abstraction has been at the heart of Lasso, since 
they began supporting multiple databases, beginning with 
version 5. PHP, currently has no abstraction layer built in. You 
can install and setup various third party database abstraction 
layers using PHP, bin again, they are not a part of the standard 
install, and depending on which solution you implement, you 
may incur additional overhead as a result of additional script 
inclusion and processing. Lasso's implementation is native out 
of die box: It is a pan of the compiled language, and thus has 
the advantage of consistency and low overhead, if any. 
Another great advantage is that you can use Lassoscript to code 
your own data source connection to, say a CSV text file, dial 
you can then use an Inline to access - slick. One final Mac 
specific feature Lasso offers in 8.5 is the ability to use 05 X ? s 
Spotlight feature as a data source. You can use an Inline to 
search your iTunes folder, for example, and return the artists, 
album names and durations of songs - all as a normal record 
set, how cool is that? 

As mentioned above, lasso’s default database connection 
method is via a database abstraction layer, and the following is 
a typical example of that method. 

<?lassoscript 

// declare and act your SQL statement variable 
var:' ’ = 1 
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SELECT 

first.name, 

1ast_name 
FROM 

customers 

WHERE lastjnaoe “ -Smith*"; 

l / run the query 
Inline: 

database®'the database*. 
usernatne~'any_user 1 * 

■ password- 1 the_password’* 

-sql=$the_sql; 

// loop through the found sot 
records; 

(field: r first_name p } + ■ l + [field; 1 last name')+'<br>*: 
/records; 

/Inline: 

?> 

In the above code, we are setting a single variable to hold 
our SQL statement, and then rising Lasso's Inline function to 
connect to the database and retrieve the record set The Inline 
function accepts parameters for the database name, which is not 
necessarily the actual name of the MySQL database, but the alias 
assigned to it through Lasso Admin. Likewise, the username and 
password parameters are nol the username and password set in 
MySQL permissions, but are those of the user/group setup in 
Ins,so Admin who have (or should have) access to the requested 
database. The - SQL parameter is obviously the SQL statement to 
be executed Inside the records lags, each row of the found 
set is looped through, and the field sag is used to retrieve a 
particular field value for the current row. There are more than a 
few additional parameters you can include in your inline 
statements, and you can also name your inlines, so you can use 
the record set elsewhere in your script without needing to re¬ 
write your inline. 

Now let’s look at a typical PI IP MySQL query. The overall 
logit 1 is similar, but it requires a little more setup, and does 
require that you put your MySQL database name, username and 
password directly in your script Permissions are handled via 
MySQL and as mentioned, it is often the 1x*si technique to utilize 
an include file with relevant file permissions for the purpose of 
axle reuse and security. 


<?php 

// Bet connection parameters usually this is an include 

m* 

$ connect “ irysql connect {' iocaihost', 1 uri*,' pv T ) or 
diet*cannot connect to database’); 

$db = *1he_databas e‘; 

$db_select= mysqi_selerl_db ($rib, $eonnection) or 
die ( J Unable to select the database’); 

// declare and set your SQL statement variable 
$che_sqt = * 

SELECT 

firsi_nane, 

last.mtne 

FROM 

customers 

WHERE last_name ■ "Smith 1 "; 


// run the query 

$result ® mysql_query($the_fiqI.Sconnect) or die ('Error 1 ); 


Please ask for: Judy, Charles or Andrew 


WWW.MACreCH.COM 






















Complete Source Control 

£ thi 1 

® uf snflwutv tlettlnfintenl 

and Defett Management 


for Mai OS X 



Effective source code control and defect tracking require powerful, 
flexible, and easy-to-use tools—Surround SCM and TestTrack Pro 


Complete source code control with private 
workspaces, automatic merging, role-based 
security, and more 

Comprehensive defect management — track 
bug reports and change requests, define workflow, 
customize fields 

New! Full Unicode support maintains international 
characters across various languages, ensuring 
data Is not lost or misinterpreted 


* Advanced branching simplifies managing multiple 
versions of your products 

* Fast and secure remote access to your source 
files and defects — work from anywhere 

* Scalable and reliable cross-platform, client/server 
solutions support Moc OS X, Windows, Linux, and Solaris 

* Exchange data using XML and ODBC, extend and 
automate with SOAP support 

* Licenses priced to fit your budget 



Seapine Software Product Lifecycle Management 
Award winning, easy-to-use software development tools 


Surround SCM 

TestTrack 

PRO 


.software 4 
development J 


txciiitncg 



flH product names listed M roe reared IrtitJwks of their respective owners. AH fights reserved. 


Download Surround SCM 
and TestTrack Pro at 
www.seapine.com/mac 
or call 1-888-683-6456 



















// loop through the found set 

while t$row _ myiiql_feteh_array (Sresult)) 

I 

echo Srowl'first_naiije' ] t ' '.^rowplaat name*]; 

I 

?> 

You ran see that the PHP method is similar to Lasso for 
querying a MySQL database, i have found that both PHP and 
Lasso MySQL queries require about the same amount of 
coding to perform, and that the advantage of Lasso's native 
abstraction layer is a nice insurance policy for the possibility 
of changing data sources down the road. In all reality, should 
one make such a transition in either language, you will still 
need to rewrite your SQL statements throughout your 
solution, and if you use an include file for your connection 
parameters in PHP, which you should, then the only other 
real bother is replacing the MySQL specific functions for 
mysql_query and mysql_fetch_a rray something 
that is not too huge a task for most solutions, especially 
using find and replace, 

Naming Conventions 

Another area where the two languages differ is in the 
consistency of their function/tag names. Lasso has the upper 
hand in consistency in that all of their functions, called tags in 
Lasso, adhere to a stria structure that is conducive to learning, 
recognizing and remembering. Lasso substitution tags, for 
example, always take the form of 
Category_Operat ionBeln^Done. PHP s naming 
conventions are now standardized, but once weren’t and thus, 


for reasons of backward compatibility, many function names 
are inconsistent in that they may or may not use underscores, 
and may have the operation listed before the category or the 
other way around. 

In the end, both languages utilize fairly similar structures. 
Lasso’s is stricter, which forces you to write cleaner code by 
initializing your variables. PH P’s more liberal parsing can make 
it easier for first rimers to gel going, but in the end is prone to 
encourage had coding habits, if you aren’t mindful. 

Resources 

Authoring 

An important aspect of any programming language are 
the tools available to author it in. Both PHP and Lasso can 
do well in the top environments including Dreamweaver, 
BBEdit, and Eclipse. Out of the box, Dreamweaver offers 
excellent PHP code coloring and function name recognition 
to make writing your code easier. A quick search on the 
Lasso list will score you links to downloadable Dreamweaver 
code coloring files that can do the same. 

For those who are just venturing into Lasso 
programming, it is worth noting OmniPiloTs lasso Studio for 
Dreamweaver and lasso Studio for Colive products. These 
products integrate with Macromedia Dreamweaver and 
Adobe GoLive respectively, While they are by no means as 
deep as high octane hand coded solutions with all sorts of 
tricky custom tags, these products do make ii a heck of a lot 
easier to gel started for those just starting out. Eventually, 
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you’ll likely progress toward hand coded solutions, hut these 
products do let you be productive in a short amount of time, 
and thus have their value. 

If you prefer to work in an IDE, like the popular open 
source Eclipse solution, you again have options in both camps. 
You can obtain a free Eclipse plug-ln for PHP called PHPEelipse. 
Omni Pilot offers a product called Lasso Studio for Hclipse that 
allows you to code, debug, and preview your code via the 
Eclipse IDE for SI99. 

Books, Forums, and Lists, Oh My! 

One of the most enticing aspects of using PUP is its 
widespread adoption in the online community. The result is that 
you can Google just about anything you warn to, figure out how 
to do it in PHP, and find an answer fairly quickly. There are a 
lot of sites with sample code and tutorials, as well as free 
libraries of functions and forums to post to. In the same breath, 
l^SSO, while smaller, also offers a very active developer 
community t as well as a good smattering of sites with free 
tutorial and code resources. The lasso list is very active and new 
comers are warmly welcomed and helped along. LassoChat is 
also fairly active. You can IM LassoChat from iChat to meet some 
Lassoers. Books and magazines are everywhere for PUP but I 
have found the best resources on the web. 1 will also say that l 
have never found a problem in either language that 1 couldn't 
get a pretty fast answer to by searching forums or visiting a 
discussion board. 

1 have always appreciated the documentation provided by 
GmmPiloi with their Usso products. It is really nice to have 
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full manuals for all aspects of the language that are straight 
from the horse's mouth, so to speak. Lasso comes with a Setup 
Guide, Language Guide, and Extending Lasso Guide. PHP's 
official sire, <php.net>, does offer setup instructions, but they 
are a little sparse and heavy on the technical aspects. You 11 
likely find yourself searc hing various websites and forum posts 
if you need extra help. Both PHP and Lasso have searchable 
online tag/function databases; however, Lasso's language 
Guide, available in PDF and paperback, is really nice. The 
Language Guide goes through each and every Lasso Tag with 
clear instructions and code samples that really help you 
pickup the language with minimal effort. In addition, the 
guide is laid out in a manner that it allows you to find answers 
to common tasks such as “Searching and Updating Records' 1 
and ' Conditional Logic." These sections walk you through not 
only the Lags, but the logic and reason. If you're just getting 
started with programming, Lasso's Language Guide is an 
excellent resource that systematically trains you in all aspects 
of the language, 

Final Thoughts 

It was tempting, when I started in on this article, to try and 
compare PHP and Lasso feature for feature. I quickly realized 
lhat the massive amounts of technicalities, sped Ikalions, and 
alternative methodologies, hardware and software setups would 
make true speed and function comparisons near impossible. 
Instead, as \ mentioned at the beginning, l decided to highlight 
my experiences with both languages, and hopefully give you a 
sense about my impressions. 

In the end, I like PHP and 1 like lasso. I like PHP because 
I can author a website and host it anywhere 1 and Google answers 
to questions in the blink of an eye. I like lasso because it is a 
tightly integrated, well thought-out product - something you’ll 
come to appreciate once you use it. If you are just getting started 
with scripting languages, Ld highly recommend either of these 
technologies, but would give Lasso the edge in ea.se and 
cohesiveness. When ii comes to price, you ain't argue with 
PHP's - free. However, with OmniPilot now offering Lasso 
Developer for free, and shared hosting plans priced 
competitively in both languages, the entry to both languages can 
lx* considered, for all intents and purposes, equal. 
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By Paul T. Ammann 

In MacTcch April 2006,1 wrote an article on Very Precious Network 
Security and at the conclusion I had promised the next article would 
discuss the implementation of IPSec/L2TP in Mac OS X. Instead of one 
follow-up, I will present two that will work from the conceptual to the 
more technical. In keeping with the theme, I present this article. 


This article provides a general introduction to 
network layer security—protecting network 

communications at the layer that is responsible for 
routing packers across networks, ll first introduces the 
TCP/IP model and its layers, and then discusses the need 
to use security controls at each layer to protect 
communications. It provides a brief introduction to IPSec, 
primarily focused on the types of protection that IPSec 
can provide for communications. In this article, 1 will 
briefly review VPNs services and what types of protection 
a VPN can provide. Then 1 will introduce three VPN 
architecture models and discuss the features and 
common uses for each model 

The Need for Network Layer 
Security 

TCP/tP is widely used throughout the world to 
provide network communications. TCP/IP 
communications are composed of four layers that work 
together* When a user wants to transfer data across 
networks, the data is passed from the highest layer 
through intermediate layers to the lowest layer, with each 
layer adding additional information^ The lowest layer 
sends the accumulated data through the physical 
network; the data is then passed up through the layers to 
its destination. Essentially, the data produced by a layer 
is encapsulated in a larger container by the layer below 
it. The four TCP/IP layers, from highest to lowest, are 
shown in Figure I. 

Application Layer. This layer sends and receives data lot particular 
applications, such as Domain Name System (DNS), HyperText Transfer 
Protocol (HTTP), and Simple Mail Transfer Protocol (SMTP). 

Transport Layer. This layer provides connection-oriented or 
connectionless services for transporting application layer services between 
networks. The transport layer can optionally assure the reliability of 
communications. Transmission Control Protocol (TCP) and User Datagram 
(UDP) are commonly used transport layer protocols. 

Network Layer. This layer routes packets across networks. Internet 
Protocol (IP) is the fundamental network layer protocol for TCP/IP. Other 
commonly used protocols at the network layer are Internet Control Message 
Protocol (ICMP) and Internet Group Management Protocol (IGMP). 

Data Link Layer. Hits layer handles communications on the physical 
network components. The best-known data link layer protocol is Ethernet. 

Figure 1: TCP/IP Layers 


Security controls exist for network communications at each 
layer of the TCP/IP model. As previously explained, data Is 
passed from the highest to the lowest layer, with each layer 
adding more information. Because of tills, a security control at 
a higher layer cannot provide full protection for lower layers, 
because the lower layers perform functions of which the higher 
layers are not aware. The following items discuss the security 
controls that are available at each layer: 

* Application Layer. Separate controls must be 
established for each application. For example, if an application 
needs to protect sensitive data sent across networks, the 
application may need to he modified to provide this protection* 
While this provides a very high degree of control and flexibility 
over the application's security, it may require a large resource 
investment to add and configure controls properly for each 
application. Designing a cryptographically sound application 
protocol is very difficult, and implementing it properly is even 
more challenging, so creating new application layer security 
controls is likely m create vulnerabilities. Also, some 
applications, particularly off-the-shelf software, may not be 
capable of providing such protection. While application layer 
controls can protect application data, they cannot protect 
TCP/IP information such as IP addresses because this 
information exists at a lower layer* Whenever possible, 
application layer controls for protecting network 
communications should be standards-bused solutions that have 
been in use for some time. One example is Pretty Good Privacy 
(PGP), which is commonly used lo encrypt e-mail messages.^ 

* Transport Layer. Controls at this layer can be used to 
protect the data in a single communication session between Two 
hosts. Because IP information is added at the network layer, 
transport layer controls cannot protect it. The most common use 
for transport layer protocols is securing I UTP traffic; the Transjxm 
l ayer Security (TLSp protocol is usually used for this. The use of 
TLS typically requires each application lo support TLS; however, 
unlike application layer controls, which typically involve extensive 
customization of the application, transport layer controls such as 
TLS are much less intrusive because they simply protect network 
communications and do not need to understand the application's 
functions or characteristics. Although using TLS may require 
modifying some applications* TLS is a well-tested protocol that has 
several implementations that iiave been added to many 
applications, so it is a relatively low-risk option compared to 
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adding protection at the application layer instead. One drawback 
of TLS is that it is only capable of protecting TCP-based 
communications, as opposed to l.TDP, I because it assumes the 
network layer protocol is ensuring reliability. 

* Network Layer. Controls at this layer apply to ail 
applications and are not application-specific. For example* all 
network communications between two hosts or networks cun lx* 
protected at this layer will tout modifying any applications on the 
clients or the servers* In many environments* network layer 
controls such as IPSec provide a much belter solution than 
transport or application layer controls because of the difficulties 
in adding controls to individual applications, Network layer 
controls also provide a way for network administrators to 
enforce certain security policies. Another advantage of network 
layer controls is that since IP information (e.g*, IP addresses) is 
added at this layer, the controls can protect both the data within 
the packets and the IP information for each packet. However, 
network layer controls provide less control and flexibility for 
protecting specific applications than transport and application 
layer controls. 

• Data Link I*ayer. Data link layer controls are applied to 
all communications on a specific physical fink, such as a 
dedicated circuit between two buildings or a dial-up modem 
connection to an Internet Service Provider (ISP). Data link layer 
controls for dedicated circuits are most often provided by 
specialized hardware devices known as data link encrypt ors; 
data link layer controls for other types of connections, such as 
dial-up modem communications, are usually provided through 
software. Because the data link layer is below the network layer* 
controls at this layer can protect lx>tli data and IP information. 
Compared to controls at die other layers, data link layer controls 
are relatively simple, which makes them easier to implement; 
also, they support other network layer protocols besides IP. 
Because data link layer controls are specific to a particular 
physical link, they are poorly suited to protecting connections 
with multiple links* such as establishing a VPN over the Internet. 
An Internet-based connection is typically composed of several 
physical links chained together; protecting such a connection 
with data link layer controls would require deploying a separate 
control to each link* which is not feasible. Data link layer 
prot(x:ols have been used for many years primarily to provide 
additional protection for specific physical links that should not 
be trusted* 

Because they can provide protection for many applications 
at once without modifying them, network layer security controls 
have been used frequently for securing communications* 
particularly over shared networks such as the Internet, Network 
layer security controls provide a single solution for protecting 
data from all applications, as well as protecting IF information. 
However* In many cases, controls at another layer are better 
suited to providing protection than network layer controls. For 
example, if only one or two applications need protection, a 
network layer control may be overkill. Controls at each layer 
offer advantages and features that controls at other layers do not. 


Internet Protocol Security (IPSec;)^ has emerged as the most 
commonly used network layer security control for protecting 
communications. IPSec is a framework of open standards for 
ensuring private communications over IP networks. Depending 
on how IPSec is implemented and configured, it cun provide any 
combination of the following types of protection: 

* Confidentiality. IPSec can ensure that data cannot l>e 
read by unauthorized parties. This is accomplished by 
encrypting data using a cryptographic algorithm anti a secret 
key—a value known only to the two parties exchanging data* 
The data can only be decrypted by someone who has the secret 
key. 

* Integrity. IPSec can determine if data has been changed 
(intentionally or unintentionally) during transit. The integrity of 
data can lx assured by generating a message authentication 
axle (MAC) value* which is a cryptographic checksum of the 
data. If the data is altered and the MAC is recalculated, the old 
and new MACs will differ. 

* Peer Authentication. Each IPSec endpoint confirms the 
identity of the other IPSec endpoint with which it wishes to 
communicate, ensuring that the network traffic and data is being 
sent from the expected host, 

* Replay Protection. Hie same data is not delivered 
multiple times* and data is not delivered grossly out of order. 
However* IPSec does not ensure that data is delivered in the 
exact order in which it is sent. 

* Traffic Analysis Protection* A person monitoring 
network traffic does not know which panics arc communicating, 
how often communications are occurring, or how much data is 
being exchanged* However, the number of packets Ixing 
exchanged can be counted. 

* Access Control* IPSec endpoints can perform filtering to 
ensure tliat only authorized IPSec users can access particular 
network resources. IPSec endpoints can also allow or block 
certain types of network traffic, such as allowing Web server 
access but denying file sharing. 

Virtual Private Networking (VPN) 

The most common use of IPSec implementations is 
providing Virtual Private Networking (VPN) services. A VPN is a 
virtual network, built on top of existing physical networks* 
which can provide a secure communications mechanism for data 
and IP information transmitted Ixnween networks. Because a 
VPN can lx used over existing networks, such as the Internet, it 
cm facilitate the secure transfer of sensitive data across public 
networks. 'Iliis is often less expensive than alternatives such as 
dedicated private telecommunications lines between 
organizations or branch offices, VPNs can also provide flexible 
solutions, such as securing communications between remote 
telecommuters and ihe organization's servers* regardless of 
where the telecommuters are located* A VPN can even l>e 
established within a single network to protect particularly 
sensitive communications from other parties on the same 
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network The next 3 sections discuss these three models; 
gate way-to-gatew ay, host-to-gateway, and host-lo-host* 

VPNs can use both symmetric and asymmetric forms of 
cryptography. Symmetric cryptography uses the same key for 
both encryption and decryption, while asymmetric 
cryptography uses separate keys for encryption and 
decryption, or to digitally sign and verity a signature* 
Symmetric cryptography is generally more efficient and 
requires less processing power than asymmetric cryptography, 
which is why it & typically used to encrypt the bulk of the data 
being sent over a VPN. One problem with symmetric 
cryptography is with the key exchange process; keys must be 
exchanged out-of-band to ensure confidentiality. Common 
algorithms that implement symmetric cryptography include 
Digit a! Encryption Standard (DPS), Triple- DES ODES), 
Advanced Encryption Standard (AES), Blowfish, RC4, 
international Data Encryption Algorithm (IDEA), and the hash 
message authentication code (HMAC) versions of Message 
Digest 5 (MD5) and Sec ure Hash Algorithm (SHA-1).^ 

Asymmetric cryptography (also known as public key 
cryptography) uses two separate keys to exchange data. One 
key is used 1o encrypt or digitally sign the data, and the other 
key is used to decrypt the data or verify the digital signature. 
These keys are often referred to as public/private key 
combinations. If an individual s public key (which can lx* 
shared with others) is used to encrypt data, then only that 
same individuals private key (which is known only to the 
individual) can be used to decrypt the data. If an individual's 
private key is used to digitally sign data, then only that same 
individual's public key can be used to verify the digital 
signature* Common algorithms that implement asymmetric 
cryptography include KSA* Digitaj Signature Algorithm (D5A), 
and Elliptic Curve DSA (ECDSA)/ 

Although there are numerous ways in which IPSec can be 
implemented, most implementations use both symmetric and 
asymmetric cryptography. Asymmetric cryptography is used 10 
authenticate the identities of both panics, while symmetric 
encryption is used for protecting die actual data because of its 
relative efficiency* 

It is important to understand that VPNs do not remove ail 
risk from networking. While VPNs can greatly reduce risk, 
particularly for communications that occur over public 
networks, they cannot eliminate all risk for such 
communications. One potential problem is the strength of the 
implementation* For example, flaws in an encryption 
algorithm or the software implementing the algorithm could 
allow attackers to decrypt intercepted traffic; random number 
generators that do not produce sufficiently random values 
could provide additional attack possibilities. Another issue is 
encryption key disclosure; an attacker who discovers a key 
could not only decrypt traffic, but potentially also pose as a 
legitimate user* Another area of risk involves availability. A 
common model for information assurance is based on the 
concepts of confidentiality, integrity, and availability* 
Although VPNs are designed to support confidentiality and 


integrity, they generally do not improve availability , the 
ability for authorized users to access systems as needed. In 
fact, many VPN implementations actually tend to decrease 
availability somewhat because they add more components 
and services to the existing network inftastructure* This is 
highly dependent upon the chosen VPN architecture model 
and the details of the implementation. The following sections 
describe each of the three primary VPN architectures; host-co- 
host, host-to-gateway, and gateway u^gateway. 

Gateway-to-Gatcway Architecture 

IPSec-based VPNs are often used to provide secure network 
communications between two networks* This is typically done 
by deploying a VPN gateway onto each network and 
esta b l i shing a VPN connection Ixrween the two gateways* 
Traffic between the two networks that needs to be secured 
passes within the established VPN connection Ixlween the two 
VPN gateways* The VPN gateway may lx* a dedicated device that 
only performs VPN functions, or it may be part of another 
network device, such as a firewall or router. Figure 2 shows an 
example of an IPSec network architecture that uses the gateway- 
io-gareway model to provide a protected connection Ixtween 
the two networks. 



Figure 2: Gateway-to-Gateway Architecture Example 

This model is relatively simple to understand* To 
facilitate VPN connections, one of the VPN gateways issues a 
request to the other to establish an IPSec connection. The 
two VPN gateways exchange information with each other 
and create an IPSec connection. Routing on each network is 
configured so that as hosts on one network need to 
communicate with hosts on the other network, their network 
traffic is automatically routed through rite IPSec connection, 
protecting it appropriately. A single IPSec connection 
establishing a tunnel between the gateways can support all 
communications between the two networks, or multiple 
IPSec connections can each protect different types or classes 
of traffic. 

Figure 2 illustrates that a gateway-to-gaieway VPN does not 
provide full protection for data throughout its transit. In fact, the 
gateway -to-gute way model only protects data Ixiween the two 
gateways, a*s denoted by the solid line. The dashed lines indicate 
that communications between VPN clients anti their local 
gateway, and between the remote gateway and destination hosts 
(e.g., servers) are not protected. 

The other VPN models provide protection for more of the 
transit path* The gate way-to-gate way model is most often used 
when connecting two secured networks, such as linking a 
branch office to headquarters over the Internet. Gateway-to- 
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gateway VPNs often replace more costly private wide area 

network (WAN) circuits. 

The gaieway-lo-gateway model is the easiest to 
implement, in terms of user and host management. Gateway- 
Lo-gateway VPNs are typically transparent to users, who do 
not need to perform separate authentication just to use the 
VPN. Also, the users' systems and the target hosts (e.g., 
servers) should not need to have any VPN client software 
installed, nor should they require any reconfiguration, to be 
able to use the VPN. 

Host-to-Gateway Architecture 

An increasingly common VPN model is the host-to-gateway 
model, which is mast often used to provide secure remote access. 
The organization deploys a VPN gateway onto their network; each 
remote access user then establishes a VPN connection between the 
local computer (host) and the VPN gateway. As with the gateway- 
fo-gateway model, the VPN gateway may be a dedicated device or 
part of another network device. Figure 3 shows an example of an 
IPSec host-to-gateway architecture that provides a protected 
connection for the remote user. 



Figure 3: Host-to-Gateway Architecture Example 

In this model, IPSec connections are created as needed for 
each individual VPN user. Remote users' hosts have tieen 
configured to act as IPSec clients with the organization's IPSec 
gateway. When a remote user wishes to use computing 
resources through the VPN T the host initiates communications 
witJi the VPN gateway. The user is typically asked by the VPN 
gateway to authenticate before the connection can be 
established. The VPN gateway can perform the authentication 
itself or consult a dedicated authentication server. The client 
and gateway exchange information, and the IPSec connection 
is established. The user can now use the organization's 
computing resources, and the network traffic between the 
user's host and the VPN gateway will be protected by the IPSec 
connection. Traffic between the user and systems not 
controlled by the organization can also be routed through the 
VPN gateway; this allows IPSec protection to be applied to this 
traffic as well if desired. 

As shown in Figure 3, the host-to-gateway VPN does not 
provide full protection for data throughout its transit. The 
dashed lines indicate that communications between the 
gateway and the destination hosts (e.g., servers) are not 
protected. The host-Lo-gateway mtxlel is most often used 
when connecting hosts on unsecured networks to resources 
on secured networks, such as linking traveling employees 
around the world to headquarters over the Internet. Host-to- 


gateway VPNs often replace dial-up modem pools. The host 
lo-gaieway model is somewhat complex to implement and 
maintain in terms of user and host management. Host-to- 
gateway VPNs are typically not transparent to users because 
they must authenticate before using the VPN. A!so T the users’ 
hosts need Lo have VPN client software configured,** 

Host-to-Host Architecture 

The least commonly used VPN architecture is the host-to- 
host model, which is typically used for special purpose needs, 
such as system administrators performing remote management 
of a single server. In this case, the organization configures the 
server to provide VPN services and the system administrators' 
hosts to act as VPN clients. The system administrators use the 
VPN client when needed to establish encrypted connections lo 
the remote server. Figure 4 shows an example of an IPSec 
network architecture dial uses the hast lo host model to provide 
a protected connection to a server for a user. 



llotf 


Figure 4: Host-to-Host Architecture Example 

In this model, IPSec connections are created as needed for 
each individual VPN user. Users' hosts have been configured to 
act as IPSec clients with the IPSec server When a user wishes to 
use resources on the IPSec server, the user's host initiates 
communications with the IPSec server. The user is asked by die 
IPSec server to authenticate before the connection can be 
established. The diem and server exc hange information, and if 
the authentication is successful, the IPSec connection is 
established. The user can now use the server, and the network 
traffic between the users host and the server will be protected 
by the IPSec connection. 

As shown in Figure 4, die husHo-host VPN is the only 
model that provides protection for data throughout its transit. 
This can be a problem, Imause network-based firewalls, 
intrusion detection systems, and other devices cannot !>e placed 
to inspect die decrypted data, which effectively circumvents 
certain layers of security ^ The hosRo-host model is most often 
used when a small number of trusted users need to use or 
administer a remote system that requires the use of insecure 
protocols (e.g., a legacy system) and tan l>e updated to provide 
VPN services. 

The host-tohost model is resource-intensive to implement 
and maintain in terms of user and host management. Host-to- 
host VPNs are not transparent to users because they must 
authenticate before using the VPN. Also, all user systems and 
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servers that will participate in VPNs need u> have VPN software 
installed and/or configured. 

Model Comparison 

Table I provides a brief comparison of die three VPN 
architecture models. 


Summary 

This article described the TCP/IP model and its layers— 
application, transport, network, and data link—and explained 
how security controls at each layer provide different types of 
protection for TCP/IP communications. IPSec, a network layer 
security control, can provide several types of protection for data, 
depending on its configuration. Most IPSec implementations 
provide VPN services to protect communications between 
networks. The article described VPNs and highlights the three 
primary VPN architecture models. I he following summarizes the 
key points from this article: 

- TCP/IP is widely used throughout the world to provide 
network communications. The TCP/IP model Is composed of the 
following four layers, each having its own security controls that 
provide different types of protection: 

- Application layer, which sends and receives data for 
particular applications. Separate controls must be established 
for each application; this provides a very high degree of 
control and flexibility over each application’s security, but it 
may he very resource-intensive. Creating new application 
layer security controls is also more likely to create 
vulnerabilities. Another potential issue is that some 
applications may not be capable of providing such protection 
or being modified to do so. 


Transport layer, which provides connection-oriented 
or connectionless services for transporting application layer 
services across networks. Controls at this layer can protect 
the data in a single communications session between two 
hosts. The most frequently used transport layer control is 
TLS/SSL, which most often secures HTTP traffic, To be used, 

transport layer controls must be 
supported by both the clients 
and servers. 

- Network layer, which routes 
packets across networks. Controls at 
this layer apply to all applications 
and are not application-specific, so 
applications do not have to be 
modified to use the controls. 
However, this provides less control 
and flexibility for protecting specific 
applications than transport and 
application layer controls. Network 
layer controls can protect both the 
data within packets and the IP 
information for each packet. 

Data link layer, which 
handles communications on the 
physical network components. 
Data link layer controls are suitable 
for protecting a specific physical 
link, such as a dedicated circuit 
between two buildings or a dial-up 
modem connection to an ISP. Because each physical Jink musi 
be secured separately, data link layer controls generally are not 
feasible for protecting connections that involve several links, 
such as connections across the Internet. 

* IPSec is a framework of open standards for ensuring 
private communications over IP networks which has become 
the most commonly used network layer security control. It can 
provide several types of protection, including maintaining 
confidentiality and integrity, authenticating the origin of data, 
preventing packet replay and 1 raffle analysis, and providing 
access protection. 

* A VPN is a virtual network built on top of existing 
networks that can provide a secure communications mechanism 
for data and IP information transmitted between networks. VPNs 
generally rely on both symmetric and asymmetric cryptography 
algorithms. Asymmetric cryptography is used to provide peer 
authentication; symmetric encryption is used m protect the 
actual data transfers because of its relative efficiency. 

4 Although VPNs can reduce the risks of networking, they 
cannot eliminate ii. For example, a VPN implementation may 
have flaws in algorithms or software that attackers can exploit. 
Also, VPN implementations often have at least a slightly negative 
impact on availability, because they add components and 
services to existing network infrastructures. 

5 There are three primary models for VPN architectures, 
as follows: 


Feature 

Gateway-to-Gateway 

Host-to-Gateway 

I Iost-to-1 lost 

P r£ iv ides p rotectk) n 1 retween 
client and local gateway 

No 

N/A (client is 

VPN endpoint) 

N/A (client 
is VPN 
endpoint) 

Provides protection between 

VPN endpoints 

Ves 

Yes 

Yes 

Provides protection between 
remote gateway and remote 
server (behind gateway) 

No 

No 

N/A (server is 
VPN endpoint) 

Transparent to users 

Yes 

No 

No 

Transparent to users’ systems 

Yes 

No 

No 

Transparent to servers 

Yes 

Yes 

Yes 


Table 1: Comparison of VPN Architecture Models 


M/cnm 


Network Layer Security 61 














- Gateway- to gateway. It connects two networks by 
deploying a gateway to each network and establishing a VPN 
connection between the two gateways. Communications 
between hosts on the two networks are then passed through the 
VPN connection, which provides protection for them. No 
protection is provided between each host and its local gateway. 
The gateway-to-gateway is most often used when connecting 
two secured networks, such as a branch office and headquarters, 
over the Internet, This often replaces more costly private WAN 
circuits, Gaieway-U^gateway VPNs are typically transparent Lo 
users and do not involve installing or configuring any software 
on clients or servers, 

Host-to-gatcway, It connects hosts on various 
networks with hosts on the organization's network by 
deploying a gateway to the organization's network and 
permitting external hosts to establish individual VPN 
connections to that gateway. Communications are protected 
between the hosts and the gateway, but not between the 
gateway and the destination hosts within the organization. 
The host-to-gateway model is most often used when 
connecting hosts on unsecured networks to resources on 
secured networks, such as linking traveling employees to 
headquarters over the Internet. Host-to-gateway VPNs are 
typically not transparent to users because each user must 
authenticate before using the VPN and each host must have 
VPN client software installed and configured. 

HosMo-host. It connects hosts to a single target host 
by deploying VPN software to each host and configuring the 
target host to receive VPN connections from the other hosts. 
This is the only VPN model that provides protection for data 
throughout its transit It is most often used when a small 
number of users need to use or administer a remote system 
that requires the use of insecure protocols and can be 
updated to provide VPN services. The host-to-host model is 
resource-intensive to implement and maintain because it 
requires configuration on each host involved, including the 
target. 


About The Author 

Paul 1 Ammann has been working in IT for almost 20 years now. He is happily 
married to his wife fve for / years , He finds writing the author's bio the 
toughest part the article. He can be contacted at pammann@spymac.com. 

Notes 

1, At each layer, the logical units are ty pically composed of a 
header and a payload. The payload consists of the information 
passed down from the previous layer, while the header contains 
layer-specific information such as addresses. At the application 
layer, the payload is the actual application data. 

2. Several Request for Comment (RFC) documents from the 
Internet Engineering Task Force (IETF) define PGP, as well as 


standards for using it to protect e-mail messages. One example is 
RFC 31%, MIME Security with Open PGP, available at 
http://wwwJetf.org/rfc/rfc3156.txt. 

3. TLS is the standards-based version of Secure Sockets Layer 
(SSL) version 3- More information on TLS is available from the IETF 
Transport Layer Security working group home page at 
h ttp://www. ietf.org/btm I ,charters/tls-ch artenhtml, and in RFC 2246, 7 he TLS 
Protocol Version 1.0, available at http://vwwJetf.org/rfc/rfc2246.txt. 

4. Hit IPSec protocols were developed within the IPSec 
Working Group of the Internet Engineering Task Force (IETF). 
They are defined in 2 types of documents: Request for 
Comment (RFC)* which are accepted standards; and Internet- 
Drafts, which are working documents that may become RFOs. 
The last 2 digits of the name of an Internet-Draft represent its 
version number (e.g., 00 or 05) Since this is subject to change, 
this document will substitute "xx" for the version number of 
referenced Internet-Drafts. A list of IPSec documents can be 
found at http://www,retf.org/htmI.charters/0LD/IPSec-charter.html 

5. Out-of-band refers to using a separate communications 
mechanism to transfer information. For example, the VPN cannot 
be used to exchange the keys securely [because the keys are 
required to provide the necessary protection. 

6. Federal agencies must use FfFS-approved encryption 
algorithms contained in validated cryptographic modules. The 
list of algorithms in this section includes algorithms such as 
DES and MD5 that are either no longer approved or were 
never approved. The Cryptographic Module Validation 
Program (CMVP) at NIST coordinates FIPS 140-2 testing; the 
CM VP Web site is located at http://csrc.nist.gov/ayptval/. See 
http://csrc.nist.gov/cryptval/des.htm for information on FIPS- 
approved symmetric key algorithms. FIPS HO-2, Security 
Requirements for Cryptographic Modules, is available at 
http://csrc n tst.go v/publications/fl ps/fips 140-2riips1402.pdf. 

7. FIPS-approved algorithms must also lx* used for digital 
signatures. See http://csrcnist.gov/cryptval/dss.htm for information on 
such algorithms, 

8. Most (but not all) personal computer operating systems have 
built-in VPN clients, so it may be necessary to install VPN clients on 
some hosts, 

9. Device placement can also lx an Issue in host-to-gateway 
and ga reway-to-gateway architectures, but in those architectures 
it is usually possible to move devices or deploy additional 
devices to inspect decrypted data. This is not possible with a 
1 k xsitoTk >st arc hitecture. 
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in Cybuiduck, if one does not already exist, and then telling that 
browser window to connect to the server The following example 
axle demonstrates how tills may be done: 


More Scriptable 
Access to 
Remote 

Directories 

___ J 

For some time now, we have Ixvn discussing various ways to 
interact with directories on remote servers using scriptable FTP 
clients. So far* we have discussed scripting Fetch 
( hU p:/A wwd^rhsofto;t)fe.com ) and Transmit ( http://www.Danic.comI 
lx)Lh of which arc widely used scriptable FTP clients for the 
Macintosh. However, these applications are not the only options 
available to you, In this month’s column, we will discuss .some 
other options for interacting with remote directories, including 
using Cyberduek, URL Access Scripting, and more.Pleasc note that 
in Odder to test the axle throughout this column, you will need to 
acquire access to an FTP server, either remote or on your 1-oca] 
network. If you have Ix-en following along, the past few months, 
then you may recall that for testing, l created a local FIT server l>v 
enabling FTP access on another machine within my office. 

Cyberduck 

The First option for remote 
directory interaction that we will 
discuss is an application called 
Cyberduek (see figure 1), 
Cyberduck is an open source 
scriptable FTP/SFTP client, which 
you can find on the web at 
< httoy/cvberduck.di/ >. 

Using Cyberduek, you can 
connect to remote servers, browse 
their directory structures, upload 
files, download files, and more. 

Connecting to a Server 

In order to Ixgin interacting with a remote directory using 
Cyberduek, you will need to open a connection to the server that 
houses that directory. Ibis is done by creating a browser window 


set theServerAddress to "10,0.1,3“ 

SOI theUserName to "TuyLlserNaiiin" 
set the Pas sward to “tny Pas sword" 

tell application "Cyberduek" 

set tkeBrowser to make new browser 
tell theBrowser 

connect to theServerAddcess as user theUserName with 
password thePassword 
end tell 
end tell 

In llie code above, the result of the make command is a 
reference to the newly created browser document. This variable 
is then used Lo target the browser in order to make a new 
connection using the connect command. In Cyberduek, 
browser window's may also be referred to by their index, or front 
to back positioning. For example, the following code would 
target the fronlmost browser window. 

lull application "Cyberduek* 
tell browser E 
- do something 
end tell 
end tell 

Changing Folders 

Once a Cyberduek browser window is connected to a 
server, you may wish to navigate to another directory on the 
server. This may lie done by using the change folder 
command. The following code will attempt to navigate to the 
Documents > FTP Main directory in the front browser window. 

tell application "Cyberduek" 
tell browser 1 

change folder to "Documents/FTP Hain/“ 
end tell 
end tell 


Uploading Files 

To upload Files using Cylxatiuck, you may use the upload 
command, and specify a file reference that you would like to 
upload. You may also wish to make use of tlie refresh command 
to update Cyberduck’s display once the upload is complete. 

The following example code will prompt the user to select 
a file. It will then upload the file to the current directory in the 
front browser window. 

set theFile to choose file with prompt "Please select a file 
to upload:" without invisibles 
tell application "Cyberduek" 
tell browser 1 

upload file theFile 
refresh 
end tell 
end tell 

In the example code alx>vc, you may lx. 1 questioning the 
use of the word file, following the upload command, since 



Figure 1. Cyberduek 
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my variable theFile already contains an AppleScript alias 
reference. In this case, the word file is actually a labeled 
parameter tor Cyberduck's upload command. The upload 
command will accept an AppleScript alias or a POSIX-style path 
as a value for iLs file parameter. For example, the following 
example code would function in the same manner as the 
previous example; 

set theFile to POSIX path of (choose file with prompt "Please 
select a file to upload;* without invisibles) 
tell application ''Cyberduck" 
tall browser 1 

upload file theFile 
refresh 
end tell 
end tell 


Figure 2 shows a directory in Cytierduck, where ;i file has 
been uploaded using the code from our previous examples. 



Listing Folder Contents 

To retrieve a directory listing on a connected server, you 
may make use of the browse command. When using this 
command* specify the path to the folder whose directory listing 
you wish to retrieve as the value for the command s folder 
parameter In the example code below, 1 have chosen to list the 
directory contents of the current folder. I am doing this by 
referencing the working folder property of the front 
browser window, and specifying that value in the browse 
command's folder parameter 

tell application "Cyberduck" 
tell browser 1 

browse folder working folder 
end tell 
end tell 

—> f "Joblnia&el .pn&" J 

In this case, my current folder contained only a single 
file, as indicated in the list that is returned as a result of the 
browse command. 

Downloading Files 

To download remote files using Cyberduck, make use of 
ihe download command. Specify the path to the item you wish 
to download as a value for the download command's file 
parameter, and the desired output folder path as a value for the 
download command s to parameter 

cell application "Cyberduck" 
tell browser 1 

download file "Joblraagel.png* to path to desktop folder 
end tell 
end tell 
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When using the download command, you may optionally 
choose to specify :* value tor the command's as parameter, in 
order to specify a custom name Lo use when saving the 
downloaded file. 

Disconnecting 

To disconnect a browser window in Cybcrduck, use the 
disconnect command, After doing so, if you will not be 
making another connection immediately, you may also want 
to use the dose command to close the browser window. The 
following example code will disconnect and dose the 
frontmosi browser window. 

tell applIciiticin "Cyberduck" 
tell browser 1 

disconnect 

close 
end tell 
end tell 

Mounting a Remote Server 
on the Desktop 

So far, we have focused on using scriptable FIP/SFTP client 
applications as the means for connecting to servers and 
interacting with their remote directories. However, Mac OS X 
also supports the nbiiity to connect to a server using the finder. 
Once connected to a server, the Finder may be used to navigate 
the directory structure on that server, upload and download 
files, and perform other tasks in the same manner that you 
would with a local directory. 

To connect to a server in the Finder, you can make use of 
the mount volume command. This command can be found 
in the File Commands suite in the StandardAddiHons scripting 
addition, which is installed with Mac OS X, and is located in the 
System > Library* > ScriptingAdditlons folder on your machine. 

The mount volume command accepts a direct 
parameter of the volume, or a server URL, to which you want 
to connect. It also accepts labeled parameters, allowing you 
to specify the name or IP address of the server, the username, 
and password. The following example code demonstrates 
the basic usage of this command, and will mount a shared 
volume on my local network. 

set theServerAddrsss to “10.0.1,3" 
set theUserName to “myUserName" 
set thePasavord to “niyPfls sword M 
set tbeVolume to "hwaldie" 

mount volume chnVolume on server theServerAddress as user 
name thcUserMatne with password thePassvord 
> file "bwiiidie:* 

As mentioned l>riefiy alxwe, you can also use the mount 
volume command to connect to a server volume by specifying 
a server URL, rather than specifying separate parameters. To 
access a shared volume, you will typically begin the URL with 
afp:// } or the Apple filing protocol The mount volume 
command will also accept an smb:// file protocol for accessing 
SMB servers. 


When specifying a server URL, you can choose to make 
use of the as user name and with password 
parameters. For example: 

mount volume “afp://* & iheServerAddress h “/” & theVolmne 
as user name theUserNamr with password ihePassword 
-> file “bwaldie:“ 

Alternatively, you may choose to include the username and 
password within the server URL itself. The following code 
shows the proper method for doing this. 

mount volume “afp:// M & theUserName & & thePanssvord & 

& theServerAddress h "/" h the Vo 1 lino 
-> file "hwaldie:” 

Tire mount volume command may also lie used to 
connect to a server via ITT, The method for doing so is similar 
to tlie process of connecting to a server volume via the Apple 
file sharing protocol. The difference is that the server's URL 
should liegin with an ftp:// protocol For example; 

set the*S«rverAddrflfif; to "10.0.1.3" 
set theflserName to “niytlserNaiH." 
cet thePaasword to "myPas'Jword" 

mount volume “ftp://" & tfieUserName & k thePafiaword h 
h the Set vex; Address 
-> file “bwaldie^lO.0.1.3:“ 

Onc:e connected to a server 
after using the mount volume 
command, the volume should 
appear on your desktop, and 
may lx? navigated in the Finder 
either manually or via 
AppleScript. See Figure 3* 

LIRL Access 
Scripting 

Another method of working 
with remote directories b with 
the use of URL Access Scripting, 
which is installed with Mac OS X. LIRL Access Scripting can he 
found in the System > Library > ScriptingAdditiom folder. 
Although this location may give the impression that URL Access 
Scripting is a scripting addition, it is, in fact, a background 
application, and must he targeted using a tell statement, just 
like any other application. 

As you will find, URL Access Scripting does not provide the 
full range of access to remote directories that we have seen with 
oilier applications like Fetch, ■transmit. Cyberduck, and the 
Finder. However, it docs provide a fairly quick way to upload 
and download files using AppleScript. 

Uploading Files 

To upload a file using URL Access Scripting, make use of 
the upload command. When using this command, specify a 
reference to the file you want lo upload as the direct parameter. 



Figure 5. A Mounted 
Server Volume 
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You must also specify a URL for the remote destination folder as 
a value for the command's to labeled parameter. To upload to 
a protected remote directory, you may choose to include the 
username and password directly within the destination URL, in 
the same way that we discussed when mounting server volumes 
using the mount volume command. 

The following example code will prompt the user to select 
a file to he uploaded. It will then upload die selected file to a 
remote directory using URL Access Scripting. 

set theServerAddress to “10.0.1.3" 
set tihellEierManie to “inyUflerNaJne" 

Set thePiissword to “my Pas sword" 

set theDireuLory to "Documents/FTP Main/" 

set tbeFlle to choose file with prompt * PIesse seleci a file 
to upload:" without invisibles 

set theURL to "ftp://" & theUserName 6 & thePasswonJ & 

b theServerAddcess b & theDirectory 
tell application "URL Access Scripting" 
upload theFile to tfceURL 
end tell 
-> true 


URL Access Scripting's upload command also possesses a 
number of optional parameters, which may lie utilized, if 
desired. For example, a value may he specified for the 
replacing parameter to indicate whether an existing duplicate 
item should he replaced on the remote directory when 
performing the upload. A binhexing parameter may he used 
to automatically binhex the item being uploaded. 

tell application "URL Access Scripting" 
upload thcFile to theliKL replacing yes without binhexing 
end tell 
-> true 


If you prefer nor to include a username and password in 
the destination URL itself, you may optionally choose to make 
use of the authentication parameter for the upload 
command. For example: 

set theURI to “ftp://" & theServerAddress 6 "/" & 
theDirectory 

tell application "URL Access Scripting" 

upload theFile to theURL with authentication 
end tell 
-) t rue 


Making use of the authentication parameter will cause 
an authentication dialog to !x + displayed when the command is 
executed, allowing the user to manually provide a username 
and password. See figure 4. 


& 


Connect to '10.0.1.3* as 

Q Anonymous 

@ Registered User 


Name: myUserName 
Password »#*#****•* 


1_ Add to Keychain 

i Cancel ) 


Figure 4. URL Access Scripting Authentication Dialog 
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Downloading Files 

To download a file using URL Access Scripting, use the 
download command, and specify the URL of the remote file you 
want to download, as well as the file specification for the 
destination file, like uploading files, if the target file resides on 
a protected server, you may choose to include the username and 
password within (he target URL itself, or you may make use of 
the upload command’s authentication parameter, allowing the 
user to provide this information during execution. The following 
example code will attempt to download a file to my desktop, 
displaying an authentication dialog when run. 

set theFilelJRL to "ftp://IQ.0.1,3/BocUiieiits/FTP 
Ms in/Job Image! - png 4 * 

set Lhd)estinatianEile to (path to desktop folder as string) 

6 "Jobimage1.png" 

tell application “URL Access Scripting" 

download theFileURL to file ThcDestInationFile with 
authentication 
end tell 

“) file '‘Macintosh HU: User s:hwaldie: Desktop: Job Image 1 .png" 


In addition to downloading files from FIT servers, URL 
Access Scripting’s download command may also be used to 
download standard web pages. For example, the following 
code will download Apple's main web page to a file named 
index. him! on the desklop, 

net thaFileURL u> "httpr/Zwv.apple .com" 

set iheDesiinaticiLFile to (path to desktop folder as string) 
b “index.html* 

tell application “URL Access Scripting* 

download theFilelJRL to file theDastifittlionFile 
end tell 

> file “Macintosh HU:Users;bwldie:Desktop:index.httnl* 

curl 

So Lit, all of the methods we have discussed for interacting 
with remote servers hive Involved AppleScripcabie applications. 
However, in Mac OS X, with the power of UNIX, there are other 
options available to you. There are numerous command line kx)Is 
that may be used to interact with remote servers, which may be 
accessed from AppleScript by using the do shell script 
command. One such utility is curl, which is often utilized by 
AppleScript developers for uploading and downloading files. 

Let me preface this section by saying that using curl for 
interacting with remote directories is not by any means covered 
in its entirety below. The capabilities of curl go far beyond 
what 1 will be touching on in this month’s column. 
Furthermore, l am an AppleScript developer, and noi a UNIX 
expert. Therefore, my knowledge of curl is a bit limited at 
present, as I have not had many opportunities to utilize it 
myself. Because of this, 1 am sure that the methods I will 
discuss below could be greatly enhanced and improved upon in 
order to provide greater reliability and functionality. 

For more information on curl, 1 would recommend 
checking out its man page in the Terminal and/or browsing 
< http://curlhaxx,se/ >. 

Uploading Files 

To upload a file using curl, specify a destination file URL, 
followed by the -T option and the path to the file to lx: uploaded 
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As in some of the previous examples we have .seen, a username and 
password may be included directly within the destination file UKL. 

This code will use curl to upload a PNG image on my 
desktop to a directory on a protected FIT server. 

set theFUeURL to quoted form of 

"/Users/bwaIdle/Desktop/JobImage1.png M 

set theOutputFile to quoted form of 

“ftp: / / rnyUsorNamo: rnyPasawo rd@ I0*0.t . 37Documents’/FTP 

Main/JobIrnagel.png” 

sei theContmml to "curl “ & theOutputFIle & ** - T " & 
titeFileURL 

do shell script theCootmand 

Downloading Files 

To download a file using curl, s]xjcify the target file's URL, 
followed by the - o option and the local path to the output Ole. 

The following example code demonstrates how to 
download a remote file on a protected FTP server using curl. 
This particular Pile will be downloaded to my desktop. 

set theFileURL to quoted form of 

"ftp: //myUserNstne^myPaflswcird^iO .0. J .1/Documents/FTP 

Main/Joblmagel.png" 

net theOulpytPile to quoted Torn of 

"/Use rs/ bwaIdle/DeskI op/JobI \m gei,png" 

set E heC omnia nd to “curl “ & theFileURL * o “ fc 

theOutputFile 

do shell script theCommand 

In Closing 

By now, you should have a variety of options for 
interacting with remote directories using AppleScript, anti even 
some example code to help you to get started. As always, when 
working with a scriptabie application, you may want to find out 
if the developer of that application provides example 
AppleScripts as well. Cyberduck, for example, comes with a 
number of example AppleScripts, which are all unlocked and 
available to you for editing. Be sure to check them out. 

Until next time, keep scripting! 


Interested in learning more about a specific AppleScript- 
related topic? Feel free to send your topic suggestions 
or requests to me at ben@automatedoworkflow5.CQm for 
consideration, and possible inclusion in future columns. 


Till 
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Solar Star Attic Fans 

By MacTech Review Staff 

Saving Energy on Cooling 

Here in Southern California (where MacTech main 
offices are), Edison has just had their 3 rc ^ rate increase of 
the year, and we’re at about 40 cents per kilowatt hour. 
Most MacTech readers like knowing about gadgets for the 
home, so we thought we'd bring you a bit of information 
on a more practical product. 

If you have an attic, you probably know that attics 
get hot, up to 120-150 degrees in the height of 
summer A hot attic conducts heat into the rest of your 
home or office, or at the very least prevents it from 
going out. Even during the winter, proper ventilation 
helps prevent condensation from forming inside the 
attic. That can cause a variety of problems including 
significant heat loss from the home if the attic 
insulation gets wet. 

In looking at the solutions, we took a look at 
Sola tube’s Solar Star attic fans specifically because they 
were solar powered, and therefore would be an easier 
install, and a more transparent pay back. 

Solatubes Solar Star Attic Fan 

What’s different 
about this product other 
than solar power? The 
Solar Star lias no 
thermostat or switches, 
and runs whenever 
sunlight strikes the solar 
panel. There are 
therefore, no electrical 
hookups, no operational 
costs, and a quicker 
installation process. Also, 
(lie 5-year wairanty Solar 
Star Solar panel is high-impact resistant, providing protection 
from hail, wind, and damage from foreign objects. 

Solar Siar offers iwo versions, the gable vent attic fan 
and the roof mount attic fan. We took a look at both. 
They are very similar in the way they work, and what they 
do, but clearly, the roof mounted unit works tetter simply 
because the laws of physics (heat rising) work with it. 
The flip side is that the gable fan is an even easier install. 

The fan units come fully assembled, are leak proof, 
and provide up to 1,200 square feet of circulation 
coverage. The gable fan comes with 15 feet of cable for 
you to use between the tan and the solar panel 

The fans can move up to 850 cubic feet per minute 
(depending on sunlight conditions). Obviously, these 


systems run best when the solar panel is under direct 
sunlight (e.g., south facing roof). Since there are no 
batteries on the fans, they do not run at night. When there 
is shade and provided the sky is bright, the fans run, but 
at a slower speed. When die re is shading for a longer 
portion of the clay, an add-on solar panel can be installed 
for better performance. 

Installation 

Installation really depends on your type of roof. If 
you have a composite roof, it’s no big deal But, if you 
have a tile or concrete roof, you should really get an 
experienced roofer to do the job. In our case, we went 
with one of Solatube’s recommended installers, 
Competitive Roofing of Camarillo. 



In (he case of a composite roof install, it’s about as 
easy as cutting the hole and fitting the unit in. Make sure 
that you have the right type of flashing to install your 
unit (see the Sola tube web site for more on this), and in 
the more difficult installations, your roofer may want to 
fashion something that matches your roof. 

Results 

What good would a MacTech article be without some 
hard core testing and results. A solar powered attic fan is 
a neat concept, but does it work? In short ... absolutely. 
Astoundingly well in fact. 

First, many attic fans are loud - you can many 
times here them inside die house. The Solar Star 
products are very quiet, and you cannot hear them 
inside. Even in the attic, they are quieter than the 
central air unit's fan. 

Second, since the fan starts the moment the sun 
comes up, the attic stays ventilated all day, not just when 
it s hot enough to kick the thermostat on. 

It’s all about the temperature differences, right? 
Well, yes and no. On average in our monitoring, the 
attic was 7 degrees cooler at a variety of times of the 
day. If you are thinking in terms of averages, 7-10 
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degrees is a pretty good number. On the hottest of 
days, we saw a difference of as much as 12 degrees in 
the attic. Pretty impressive when you consider how 
quiet this 850 cfm fan is. 

But what was really impressive is how much faster 
the attic cooled down at night. Prior to the attic fan, ir 
could be 110 degrees in lire attic long after midnight. 
With the Solar Star installed, we saw temperature drops 
of 1 degree every 10 minutes. As a result, after dinner, 
we would typically see comfortable attic temperatures. 

Why is this important? If you are in a typical two 
story house, as our example was, the upstairs have 
bedrooms. Really the only time you care about the 
bedrooms being cool is at night The cooling upstairs 
is working against the hot attic ... the cooler the attic, 
the easier it is to cool the upstairs. Same goes for a 
single story house. 

The Gable Fan 

For the gable fan testing, we went with a 
completely different use - venting the garage to keep it 
cooler* Garages tend to get warm not only from 
outside sources, but from cars with hot engines, water 
healers, and more. In our Lest case, the Solar Star gable 
fan was able to cool the garage by approximately 10 
degrees during the day. 

Conclusion 

Who cares what your attic temperature is? You only 
care what your cooling costs are, and how long it takes 
to cool your living areas. While there were too many 
variables to give you a definitive savings on electricity, 
it s clear that the AC had a much easier time cooling 
alier the Solar Star was installed. Bottom line: The Solar 
Star made it considerably easy to cool the living area, 
and will easily pay for itself in electricity savings. 


Retail prices for Solar Star Attic Fans begin at 
$399, plus professional installation if required 
($125 for simpler installs, more for more difficult 
installs). See http://www.solatube.CQm/res solarstar.php 
for more information. 
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KILL A WATT 

By MacTech Review Staff 

Kill A Watt is a device that measures electricity 
usage of appliances. Armed with information, you can 
effectively reduce your power consumption, li is 


equipped with a Large 
LCD that displays 
elect rid i y consumption 
by the Kilowatt-hour, 
and helps users in 
tracking their electrical 
usage by the hour, day, 
week, month, and even 
an entire year. 

Tliis device can also 
be used to assess 
quality of power by 
monitoring voltage, line 
frequency, and power 
factor* Kill A Wan 
displays power 

consumption in volts, 
amps, watts, liz, and VA also. 

Using this device, results can be calculated with 
0.2% accuracy. The operating and maximum voltages 
of Kill A Watt are 115, and 125 VAC respectively. Kill A 
Watt has maximum current rating of 15 A and 
maximum power rating of 1875 VA, weighs 5 oz., and 
its dimensions are 5 1/8 x J 5/8x2 3/8 inches. 

What was most 
interesting to us in using the 
Kill A Watt is that we were 
able to determine which 
computers used the most 
electricity. For example, we 
tested an Xserve Dual G5 
machine and realized is 
consuming over $50/mo, in 
electricity. And, you can see 
how computers have gotten 
more advanced -a Mac Mini ® 

G4/1.42 GHz costs less than 
$5/mo to run, while a G4 
Cube/450 MIIz is closer to 
$ 10/mo. 

We used this device to determine air conditioning 
costs for portable air conditioners as well. Very useful, 
and well worth the cost of the unit. 


KILL A WATT retails for $39*95, and is available 
from a number of online resellers. For more 
information, visit: http://ww w. p3 internati ona 1.com/ . 
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Small Server Room Air 
Conditioning 

Portable Cooling Units for 
Server Rooms 

By the MacTech Magazine Editorial Staff 


The A/C Problem 

Providing- air conditioning 24/7 for your server room is one 
of those invisible problems lhaL you may not realize until it's kx> 
late. Add to it that 24/7 air conditioning involves a great deal 
of power consumption, so it can l>e a costly affair Today more 
than ever, a lot of office buildings provide air conditioning only 
during the week, usually from 7am to 7pm, Ttiafs fine for 
humans* However, most of us still have cooling requirements 
for our server rooms that need not only 7 days a week, but 
need 24/7/365 as dial's when there is heat generation* 

Even if you put a handful of computers in a loom, bad 
ventilation or inadequate air conditioning will melt your 
machines faster than a popside on a hot day. Bad 
environmental conditions in a server room can affect the life 
and reliability of your machines and their components. The 
machines might perform bizarrely, reboot, or crash altogether. 
Since server rooms are the lifeblood of any company, and 
damage casts could be very high not only in terms of replacing 
hardware, bui also in terms of company productivity. And, as 
machines get faster, they’ve Ix.en getting hotter So, rather than 
risk an IT meltdown, companies are choosing portable cooling 
units for their server rooms, being that they are more versatile, 
and can provide or supplement cooling more cost effectively. 

Ventilation, The First Option 

Before you even think alxiut air conditioning, you should 
think about ventilation, You can accomplish a great deal with 
proper ventilation* Many people don’t realize that air 
conditioners doni actually cool the air; they are really devices 
that transfer heat from one location to another. As a result* 
you can accomplish much of the same thing by simply 
venting die hot air out of your server room, and letting it suck 
in cooler air from the rest of your office. 

Targeted A/C 

But there are times that you either need to supplement 
your air conditioning, or have focused air conditioning, and 
many people are finding portable A/C units a good option. 

In looking around, we found a company called 
Sunpcniown that made some of the highest efficiency portable 
A/C units. Specifically, we chose liie WA-1Q10H Si in pent own 


(SPT) portable A/C with heater, with a 10,000 BTU cooling and 
heating capacity, as one such option. This unit provides 
cooling, dehumidifying, and fan features all in one* 

Energy Efficiency Rating 

All cooling units have an EER (Energy Efficiency Rating)* 
Most people naturally believe that units with a higher EER 
consume less energy than units with a lower EER* But actually, 
EER is not necessarily a good measurement to determine 
energy usage, unless you are comparing the same size of unit* 
The EER is calculated by taking the units potential BTtfs and 
dividing it by the total wattage consumed. 

For example, let’s compare two units: a 12,000 BTU 
unit using 900 walls with an HER of 13-33 and a 9,000 BTU 
unit using 900 watts with an EER of 10. Here the power 
usage is the same even though the 12k unit has a higher 
EER* Most people wquld choose the 12k unit, since you 
get more cooling for the same energy usage. 

However, for our test server, we chose the SET WA- 
101 OH unit, with a 10,000 BTU cooling/heating capacity, 
and an EER of 15.3 (normally, this would be a room Lhat 
you would ideally cool or heat an area up to 300sq*ft* but 
server rooms have a higher heat load). We compared it to 
an older Sharp model (model CV - P09FX) with an almost 
9000 BT U cooling capacity, and an EER of 8.9, 

Both units were tested in a small server “room” (about 
40 square feet wills 15 computing devices). Clearly, the 
5PT cooled quickly and efficiently, and the Sharp would 
take much longer to cool the room before shutting it off. 
Because the SPT would start and stop more often 
(compressors take a lot of energy to start), il actually used 
about the same electricity as the far less efficient Sharp. 

The SPT is the letter choice for the server room as it will 
keep your temperatures much more consistent even with the 
variations of heat load that tend to happen* In die end, 
however, if your primary goal is energy efficiency, you would 
want die smaller BTU capacity while maintaining a higher EER. 

Trial and Error, 

Reliability vs. Efficiency 

Finding die right cooling unit can, unfortunately, be a 
process of trial and error. Different server rooms will have 
different requirements and heal loads* The first cooling 
unit or solution you try, may not always be the right size* 
in fact, we had to test a couple of different units to find 
ones that best suited our test case. 

Along with efficiency and reliability considerations, 
you need to figure out the size of the cooling unit you will 
need. Thai may seem simple enough. After all, you just 
have to add together all the sources of heat and find an air 
conditioning unit that can take care of it. But, in practice, 
it’s just a little bit more complicated. 

Apart from temperature of both the .server rex an and the 
machines, you also need to keep in mind air fiow and 
humidity factors. It is important to maintain a consistent air 
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flow, since moving air cools foster than air that stands still 
Cooling units that come with fans ran help decentralize hot 
spots, by providing a form of forced convection. As for the 
humidity factor, computers operate within a wide humidity 
range. Avoiding condensation is the key factor here. Also 
remember that sometimes when air conditioning units fail, they 
cause leakages and spills, so you might also want to think 
about how you position your cooling unit as well. 

While choosing an efficient cxx>ling unit is significant, for 
server rooms, reliability of the uiiit is more important. It is 
therefore more advisable to go with a unit that has an auto¬ 
restart option (in the event of a power failure), and that has 
more than enough capacity to handle varying heat loads. 

Sunpentown’s Solutions 

While our test was on the WA-3010, if your room is a little 
larger, you may want to look at the WA-1300E, a newer model 
from Sunpentown that comes with the Restart fC feature. This 
model has a axjJing ]x>wer of 13,tXXl liTU, and is designed to 
cool an area of up to 420 square feet, has 3 fan speeds, and 
larger casters. Apart from these features, the WA-13G0 E shares 
similar features as the WA-1010 units, such as: 

* Self evaporating system - during the cooling process, water 
is extracted from the air into the unit. Mast of tills water is 
then recycled and used to cool the cooling coils and make 
it mn more efficiently, cooling as well as energy, 

* Digital temperature display and multiple fan speeds. 

* Activated carbon filler helps remove odor. 

* Washable air filter collects dust particles. 

* Digital thermostat with remote control 

* Choice of programmable timer or continuous operation. 

* Directional air discharge louvers. 

* Extendable exhaust hose (up to 5ft.) 

* Built-in water tank or extended water tube for 
continuous drainage. 

Both of these models are great products, and will do a 
good job cooling your server room. Make sure to take into 
account where you are going to vent, and that you have 
enough power in the room to run these devices. 

For detailed specifications, you can check out the 
following URLs on the Sunpentown website: 

http://www.5unpentQwn.com/walOpQacwih0.html 

http://www.su npentownxom/wa 13poac.html 

Tire SPT WH-1010H retails at $150 and the WH-1300E 
model retails at $569. 

All 
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RAID 
solution up 
to 1.5TB! 

Photoshop User 

♦ ♦♦♦♦ 


Mercury Flite-AL Pro Solutions 


Mercury Elite-AL Pro FireWire 400+USB2 
BOGB 10 750GB from $119.99, 320GB $189.99 
Mercury Elite-AL Pro FireWire 800/400 
80GB lo 7S0GB from $139.99, 400GB $299.99 
Mercury Elite-AL Pro FireWire 800/400+USB2 
80GB to 750GB from $119.99, 320GB $219.99 


Mercury Elite-AL Pro RAtD Solutions 


Mercury Elite-AL Pro 800 
Performance RAID 

160G8 to L STB from $219.99, 640GB $359.99 
Mercury Elite-AL Pro 800 
Mirrored RAID Backup 

25QGB lo 750GB from $399.99, 500GB $799.99 
Mercury Elite-AL Pro 800 0+1 
Performance+Backup 

500GB to 1,5TB from $679.99, 1.0TB $1599.99 


Add up to 15 Terabytes - 1500G8 - for your Data 
Graphics, Audio/Visuaf Music, and Storage 
Needs with a top rated Mercury m , Neptune 1 ** 
or NewerTech"* Storage Solution from OWC 

* Latest Oxford Chipsets 

* Top Hitachi and Seagate Drives 

* EMC Retrospect Backup Certified 

* 2 Year Warranty r— — 

msummmm 

80GB to 500GB 
fro m $97.95 I i qoooo ^"! 

„ 1 tfiUT 

MacAdcfict 


Own the Future.. 

Todlf (www.MacSales .com) 


/»> miniStack *V2 

BreWire+USB2 Solutions with 
integrated FireWire and USB2 
Hubs bring high performance 
storage and port convenience 
with capacities 80GB to 750GB 
from $129.00 

Tele; 4ML^ 


Neptune FireWire 


80GB to 500GB solutions 
from $95.99 

Macworld 

WW* 

Value Dene Right! 

See the full line of OWC FireWire solutions, as well 
as solutions by LaCie. EZ Quest, SmartDisk, and 
Wiebetech online at MacSates.com/FireWire 


FirmTek 


bliL'jTdlh^J Afa/z&y it'itti U'h ti 


Backup try 

EMC 


SolutioiH include all cables. EMC Retrospect Backup. Intech 
HD Speetitunh and are pr dot maned with free bontii 
software Met) all ready to plug and play your IWl'iMjix. 
Power Book ‘Mac, iBook, of eM.ir (chi. 


Mercury On-the-Go 


OWC Mercury On-the-Go Portable ThE FIRST 
40GB to 160GB from $109.99 Pocket-Sized 

^ Solution up 

Macworlil jr". toiooGBE 


1 v# 

ftntWhv 

www.MacSales.com/6rewire 




Mac Improvement 
NuPow&r ~ Laptop Batteries 

/>> neiuerteciinology: 

Batteries that Run Longer and Last Longer! Built in the USA and built 
right for up to 56% more runtime vs, your original Apple stock battery! 



Network Adapters 

mm 

Sonne; Presto 1 D/100/1000 Gigabit Ethernet PG SBS.99 


PRAM Batteries 

Is your Mat forgetting what time it Is? OWC PRAM batteries starting at $4.99 




Wireless Mouse 

Logitech Cordless 'Click' Optical Mouse for US8 


Power Book G4 Ti from $119,99 
PowerSook G4 AL 12/15/17" from $119.99 
iBook G3/G4 from $99.95 

Call or Visit macsales.com/NewerTech 


The Latest Enhancements 


tyeuindlH tor 
voitr iM j-l.Six 
tptliociseftfuii. 


Rain Design 1360* 

A Turntable for ypuriMae G5 t 7 "and JO" $39,00 

Village Tronic VTBoak 

Add another CRT or Flat Panel Display lo your Powerbook $ 1*6.99 


Laptop Screen Protectors 

Protect your screen! There's an OWC Laptop 
Screen Protector (L$P) product for your Mac, 

Power Book G4 17" $17,99; PowerBookG4 15" $17.95 
Powerflook G3 IS" $14,99; ifiook/PowerBookGA 12" $13,95 
The OWC LSP$ |M ecision < ul r glove wh leather pi atKlaistlut prevent pateocully 
permanent marky which cm WfwItWh die arrd ^tfyb&Jird while your laptop i\ dosed. 


■Lugger iMac cases 

lor the 1 M&C 6 $ or for Mac mim and/of op to 20 “ LCD Display 
% color combi nations starting at: S 9 & 9 i 5 




www.macsales.com 












































SuperDrive Your Mac 
From Only $44.99! 

Make Music, Movies & More! Add a Fast 
SuperDrive to your Mac to Burn CDs, 
DVDs, even 8.5GB Dual Layer DVDs. 


Maximize your Mac 


Trade In 
Rebates! 


<£&* Macworld s 

^ •«! 


Speed it up as high as G4/2.0GHz or 
Dual 1.8GHz! num 

OWC Stocks the full line of G3 & G4 Processor- .»««> »«• 

upgrades by these leading manufacturers: ftp r»«stu«sr> t«Thnoiunti 

G4 Single Upgrades from $159.00; G4/1.6GHz only $229.00 
G4 Dual/1.6GHz from $399.99; Dual 1.8GHzfrom $595.00 

G4 Upgrades for PowerMac G3s, PowerMac G4s, Cube G4, PowerBook G3s 
Even Legacy PowerMac 7200-9600 Models! 

DM 

HIM 

Upgrade Your Memory & Save 

MerFtOfy for nearly tvHiy Mat in Coil8(X/2/5 45/0 at vtw 

ivir'-kv Mocbufesxor tt/Men my or id tisr out online Ct tide 

For NEW 2006 MacBook Pro 15.4" & 17", 
iMac Intel, & Mac mini Intel models r _ . 

,GB Kits *9. 2GB KiU «, Max ft,, 9229 

PCS300 DDR 2 667MHz 200 Pin 
512MB Modules only S49.99 
1,0GB Modules only $112,99 
2,0GB Match Set only $219.99 
For all PowerBook G4 Models; 
iBook G3/G4s Models: 

256MB Modules from $26.99 
512MB Modules from $39.99 
1GB {1024MB) Modules from $109.99 

All OWC Memory includes LifeTime 
ADVANCE REPLACEMENT Warranty. 


Not sure what upgrade is 
best for your computer? 
Visit: 

macsales.com/MyOWC 

A custom shopping experience 
to make your Mac a better Mo?, 


maotoMc Macmrarhl „ 

•••• | w*_ i | mA. 


Give us a call or check 
out our website Our 
compatibility guide will 
show just what options 
are right to make your 
Power Mac, PowerBook, 
iMac, etc - a Faster Mac 
today! Call 800,375.4576 
Visit macsalesxom/faster 


1 


512MB Module hom $45.99 
1.0GB Module from $87.99 
1.0GB Matched Pair from $89.99 
2.0GB Matched Pair from $175,00 
2.0GB Module from $209,99 
4.0GB Matched Pair From $415.00 

For all PowerMac G4 ( eMac 64, 
and iMac G4: 

256MB from $24.99 
512MB from S45.99 
1GB from $87,99 


Hard Drives 

Bulk up your computer by giving 
it higher capacity to perform for 
your needs. 

Hard Drive Controllers 

Hard Disk Controller Cards 

iifeSSS 

Acard 3-Ctomnel pa SATA $59.99 


Serial ATA 4-Channel PO-M S79.9S 

m m \ 

Tempo ATA & SATA M*c PCI Controllers 
Tempo Trio Flr*Wire/USB2/ATA-131j 
^11 in one PCI S149-00 

FirmTek 

4-Channel SATA Com rollers 
from $119.95 

SATA Internal Mounting System^ 

mm 

Sonnet G5 Jive, add 3 SATA RDs to 
PowerMac GS $95,00 


Controllers 

ATA133J 

:3 


Internal Hard Drives 

For iMac*, eJVIac* & PowerMacs 

3.5" Plug & Play 40GB to 500GB from $47,99 
250GB Super Value $99.95 

For PowerBooks, iBooks & Mac minis 

2.5* 40GB to 160GB from $69.99 

100GB /200HPM NoteBook Performance 5189.99 

SATA Enclosures 
MMP 

OWC Mercury Elite SATA RAID Solutions 
Perfect for Mass Storage or RAID. Cables 
inclu ded. I Year OWC Warranty, Starting From $79.95 

FirmTek 

Dual Bay Hot Swap External Serial ATA Enclosure 
with SATA PCI Conti oiler Card $257.95 

mn*\ 

Son [let Fusion 4 Bay SATA Kit $549.00 

Not sure what your Mac takes? 

Buy wit li Confide nee, cull or me our online guide*. 

macsales.com/harddrives 


Software 



Apple 0SX Tiger' S119.00 

foil retail box version 
OS X 1C. 2,10,3 from $17.99 

^PostFacto 

Hiiiht 

m* wffi/qm/tiix r*#',* 


Apple iOfe '06 

Make the most out of 
your digital life. Share 
the magic of your 
r everyday with 
' lLife J 06 Only 
< $79.00 
$79.00 _r 
" / r' 


iPod Replacement Batteries ^ 

/>> nemer* technology; 


iPod Replacement Battery Kits 

Easy to Install, Tools Included + Online Installation 
Videos. Get up to 78% more capacity & 20+ Hours Runtime! 


Nu Power 


n^gnly recommended 


iPod Batteries for nearly every Apple iPod 

Starting From $14.09 wwt 


Wof comfortable opening your iPod? 

For $19 + the cost of the battery, OWC installs It for you iPod 
shipping Box and FedEx Overnight covered to and from! 

macsales.com/iPodinstall 

OWCs full line of iPod Batteries, Accessories, and 
more online at macsates.com/iPod 


Pay less. Get more. Surf faster! 

Mac-Only 

Internet O ,wmowthl l 

High-Speed Nationwide 
Dial-up and DSL Services 
Toll-Free Tech Support & 
More from Mac Experts 

Visit FasterMac.net or call 
toll free 800-869-9152 to 
learn more or to sign up. 


hie *i, ,iw4iiflh.ility irfiubjtct to {Kfiftgc wiih&vi norite, IttiTHrctkirncdl ml Inn Jo dayj may boubjen la j rest Diking ftt. 

Ho return wilt be itiepted without Relent Merdiandke AuthtulEdEiiifl nuinireir. 


Othn Wcrld tamputing j 

1<HHt4uUAiiJ<ri Eh.. Woodsixk, ft lOUti 
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□Work Longer? DWork Harder? 


How to Stop 

Racing the Clock. 


□ Energize Your Mac! 


We know your day keeps getting longer and longer. With every release of software, your Mac is 
bogged down even more. With every click, there's a pause. You find yourself working longer, working harder 
A faster Mac means that you can work faster, not harder * be more productive / 


Let the original Mac Performance Shop help. Day star has been creating Mac speed for over 16 years. 
Whether your bottleneck is storage, connectivity or just raw CPU speed, we deliver the performance you 
need, where you need it. 



CPU Upgrades for Raw Speed. We upgrade any Power Macintosh, 
any iMac Flat Panel, any PowerBook G3 and some PowerBook G4s. 

Fast and Large Storage for Real-Time Video. Our TURBOSA7A 

solutions can make your drives perform like RAM. Projects open in a 
flash and edit in real-time. 

Extreme Wireless. Wireless is great, unless you Ye getting slow 
transfers. Even Airport Extreme's are slow when the signal is weak. 
Daystar can boost your signals and energize your wireless network. 

But, if You Really need a G5? Daystar is the only Mac Performance 
Manufacturer that is also an Apple Authorized Reseller. Not only can 
you trade-in your system for the latest and greatest... but the Daystar 
Pro's can upgrade it for maximum performance! 

Call 877-439-8646 and beat the clock. 

Authorized Reseller 


y ^Bamtar 

**VVV ViVIr rECWNGLOGr 


Daystar Technology - Your Macintosh Performance Shop 

5018 Bristol Industrial Way, #202, Buford, GA 30518 USA 
Toll Free: 877-439-8646 or 770-614-5400 


Da Ystar-Tech.com 


Daystar-Forum.com 


Daystar-Store.com 
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